In This Issue: • Risk Assessment Management Using COBIT 5

Transcription

In This Issue: • Risk Assessment Management Using COBIT 5
Volume 3, July 2013
In This Issue:
•
•
•
•
•
Why, When and How to Migrate to COBIT 5
COBIT 5 for Assurance Available Now
Risk Assessment Management Using COBIT 5
Top 5 Reasons COBIT 5 Training Is Critical
Evidence Management for the COBIT 5 Assessment Programme
Come join the discussion! Sudarsan Jayaraman will respond to questions
in the discussion area of the COBIT 5—Use It Effectively topic
beginning 22 July 2013.
Why, When and How to Migrate to COBIT 5
By Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3
Expert, ISO 20000 LA, ISO 27001 LA, ISO 9001 LA
®
With the release of COBIT 5, a new evolution in the thinking process of managing
and governing IT has taken shape. The question to answer is whether organizations
that have invested in the implementation of the earlier versions of COBIT have to
migrate to COBIT 5. If yes, the question becomes: why, when and how does an
organization migrate to the new framework?
Migrating to COBIT 5 is not the same as migration of software or hardware or a
platform. Instead, this should be considered as a transition of the way work is done to
meet the requirements of stakeholders. That said, was this not being done in the
®
earlier versions of COBIT? That is, how different is COBIT 5 from COBIT 4.1 and
what are the benefits an organization can realize from this new release?
Call for Articles
How are you using COBIT®
at your enterprise?
We welcome articles on your
experiences with this
framework. Deadline
to submit copy for
volume 4, 2013:
4 September 2013
Submit articles for
peer review to:
publication@isaca.org
Why Migrate to COBIT 5?
COBIT 4.1, while a popular framework, is considered by many to be an IT framework,
not an enterprise framework. COBIT 4.1 addresses the IT requirement more as an
operation model and a good practice guideline related to IT processes. After going
through COBIT 5, one may get a feeling that COBIT 4.1 was lacking the governance
view toward the organization and was more process-oriented. However, COBIT 4.1
does bring in the view of business-IT alignment by way of mapping enterprise goals
with IT goals and finally with the IT process goals.
COBIT 5 has further built on the process model and has clearly demarcated the
governance and management processes separately. A new governance domain is
introduced as a part of the COBIT 5 process reference model; this is a major
improvement that provides clarity on the management and governance functions
within an organization.
A major improvement in COBIT 5 is the introduction of the five key principles and
Case Studies
Visit the
COBIT Recognition and
Case Studies pages to read
more COBIT 5 and COBIT 4.1
case studies.
seven enablers, which form the pillar of the framework. With these additions, COBIT 5
has aligned itself closely with the ISO 38500 framework.
Research Update
COBIT 5 has retained the goal cascading model of COBIT 4.1; however, it has gone
further by including the stakeholder needs as the starting point of the mapping, which
then cascades to enterprise goals, IT goals and finally to enabler goals.
Recently Released COBIT 5
Materials
The other key difference to point out is that a new process assessment model (PAM)
has been introduced. The COBIT PAM is aligned with the ISO 15504 standards
requirement. This means more stringent and accurate assessment of the relevant
processes.
In brief, the key benefits of COBIT 5 for enterprises can be summarized as follows:
• Aligning business and IT more closely by taking into account the stakeholder
needs as the starting point. This provides more business focus with due
consideration of internal and external stakeholders’ needs.
• Introducing the seven enablers as a more efficient and effective way of using
resources to meet business requirements
• Showing the entire organization as responsible for governance of IT through the
holistic inclusion of enhanced role descriptions in the RACI chart
• Helping the organization to understand business perspective more clearly by
mapping the goals and objectives to a business scorecard model
•
•
Upcoming Third Quarter 2013
COBIT 5 Releases
•
•
•
•
•
Thus, for organizations that have implemented COBIT 4.1, migrating to the new
framework is a natural process of progression under which the organization will
extend its coverage of IT governance to an enterprisewide governance initiative.
When to Migrate to COBIT 5?
At this current age of economic stagnation, is it wise to reinvest and migrate to the
COBIT 5 framework? When is the right time to consider migration to COBIT 5?
There is no single answer to this question. However, if the organization is still in the
process of completing the COBIT 4.1 process implementation, it is advisable to
continue the implementation before considering a migration to the new framework
since any COBIT 4.1 implementation would have been typically initiated to respond to
business requirements for improvements or to address specific pain points
encountered by the organization. Since the respective controls to treat such issues
would have been identified from the earlier version of COBIT, it is better to continue
implementation and monitor whether the key goals are being accomplished, before
migrating to COBIT 5.
If the organization has implemented most of the COBIT 4.1 controls and has reached
what it believes to be a reasonable degree of maturity, it is time to consider migration
to COBIT 5, as COBIT 5 brings in the key differentiating aspect of segregating
governance from management, which is important to consider and is a new addition
with COBIT 5. Also, when using COBIT 5, the IT governance setup, which had been
typically more inward-focused, will transition into the model of governance of
enterprise IT (GEIT), in which involvement of enterprise stakeholders plays an
imperative role.
The following is a list of triggers that would suggest it is time to migrate to COBIT 5:
• Repeated failure of critical IT process results in issues related to the delivery of
committed services by the business.
• Risk to the business has not been reduced considerably and IT risk does not align
to enterprise risk.
• Controls implemented are more IT-oriented and do not span the enterprise.
Volume 3, July 2013
COBIT® 5 for Assurance
COBIT 5 Implementation
Training and Certificate
•
COBIT® 5: Enabling
Information
COBIT® 5 for Risk
COBIT/COSO white paper
COBIT 5 Assessor Training
and Certificate
COBIT Certified Assessor
Additional COBIT 5 Initiatives
in Development
COBIT® 5 Online:
- Access to publications in
the COBIT 5 product
family (tentative release
fourth quarter 2013)
- Access to other nonCOBIT ISACA content
and current, relevant
GEIT material (tentative
release first quarter 2014)
- Ability to customize
COBIT with multiple-user
access (tentative release
third quarter 2014)
For more information on COBIT
publications and training, visit
the COBIT 5 page of the ISACA
web site.
COBIT 5 translations are
available on the COBIT Product
Family page.
Page 2
Figure 1—Pain Points and COBIT 5 Mitigations
Pain Areas
Target Processes
Pain Areas
Target Processes
Failed Projects
BAI01
Manage Programs and
Projects
End-user
Responsibilities
APO09
Manage Service
Agreements
Ad hoc Initiatives/
Planning
APO01 and APO02
IT Mgmt. Framework
and Strategy
Support From
Suppliers
APO10
Manage Suppliers
Communication Within
IT Division
APO09
Manage Service
Agreements
Lack of Automation
Tools
BAI02 and BAI03
Requirements Definition
and Solutions Identification
Management Reporting
MEA01 and MEA02
Performance and
Internal Control
Accountability Among IT
Staff
APO09
Manage Service
Agreements (OLAs)
There are other pain triggers that may lead to migration to COBIT 5. Figure 1 provides an overview of pain points and typical
COBIT 5 processes that can be used to mitigate the issue.
How to Initiate Migration?
Before initiating a migration to the new framework, it is recommended to clearly set the objective of migration. That is, what
are the business benefits the organization will achieve by adopting the new framework? If a tangible and measurable goal is
set as the baseline, achievement can be measured and success of adoption can be demonstrated.
The key to a successful migration is to commence the activity by addressing the key pain areas within the organization. Once
the pain areas are identified, the following steps can be followed:
• Initiate an assessment to identify the status and maturity of the processes that are currently implemented, if any.
• Prepare a migration strategy by identifying the processes and the required enablers from COBIT 5 to be implemented.
• Identify the affected departments, section and services that will be impacted by this migration.
• Ensure that a project management plan with time lines is created and a budget is allocated for this effort.
• Remember to run the migration activity through the change management process.
• Address the organization change impact that will be created by this migration and have a transitional plan to roll out the
migration.
• Market and communicate the positive impact that will be achieved by this migration to get buy-in from top management.
Once the above initial steps are performed, the organization is ready to commence the journey. It is recommended to break
the entire migration into smaller scope areas that are manageable, because quick wins will motivate the migration team and
the organization to continue the journey.
Sudarsan Jayaraman, CISA, CISM, BS 25999 LA, COBIT (F), ITIL V3 Expert, ISO 20000 LA, ISO 27001 LA,
ISO 9001 LA
Is a director of technology risk services at Protiviti Member Firm (Middle East). He has more than 20 years of experience in IT
advisory and consultancy services, focusing predominately in IT governance, IT service management and information security
management. Jayaraman has successfully managed and facilitated ISO 27001 and ISO 20000 certification at a number of
large and prestigious companies in the Middle East.
Volume 3, July 2013
Page 3
COBIT 5 for Assurance Available Now
By Anthony Noble, CISA
®
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and
management of enterprise IT (GEIT). Simply stated, it helps enterprises to create optimal value from IT by maintaining a
balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and
managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas
of responsibility, considering the IT-related interests of internal and external stakeholders.
®
COBIT 5 for Assurance builds on the COBIT 5 framework. Focused on assurance, it provides more detailed and practical
guidance for assurance professionals and other interested parties at all levels of the enterprise on how to use COBIT 5 to
support a variety of IT assurance activities. If an enterprise is already using COBIT 5 as its framework for the governance and
management of enterprise IT, COBIT 5 for Assurance enables the enterprise to leverage COBIT 5 when planning and
performing assurance reviews, so that the business, IT and assurance professionals are aligned around a common framework
and common objectives. However, the enterprise does not have to be currently using COBIT 5 to use COBIT 5 for Assurance.
The main drivers for assurance include:
• Providing interested parties substantiated opinions on GEIT according to agreed-upon assurance objectives
• Defining assurance objectives in line with enterprise objectives, thus maximizing the value of assurance initiatives
• Satisfying regulatory or contractual requirements for enterprises to provide assurance over their IT arrangements
Assurance means that, pursuant to an accountability relationship among two or more parties, an IT audit or assurance
professional may be engaged to issue written communication expressing a conclusion about the subject matter to the
accountable party or another interested party. Assurance refers to a number of related activities designed to provide the reader
or user of the report with a level of assurance or comfort over the subject matter. For example, assurance engagements could
include support for audited financial statements; assessment of value provided by IT to the enterprise; reviews of controls;
compliance with required standards and practices; and compliance with agreements, licenses, legislation and regulations.
An assurance initiative consists of five components, as illustrated in figure 1.
Figure 1—Assurance Components
Source: ISACA, COBIT 5 for Assurance, USA, 2013, p. 15
Volume 3, July 2013
Page 4
Subject matter is the specific information, practices or controls (e.g., any of the seven COBIT 5 enablers) that are the subject
of an audit or assurance professional’s review, examination and report. This subject matter can include the design or
operation of internal controls and management practices over any aspect of the enterprise, or compliance with privacy
practices, standards, or specified laws and regulations.
Criteria are the standards and benchmarks (e.g., COBIT 5) used to measure and present the subject matter and against
which the practitioner evaluates the subject matter. Criteria can be formal or less formal. There can be different criteria for the
same subject matter. Suitable criteria are required for reasonably consistent evaluation or measurement of a subject matter
within the context of professional judgment. Suitable criteria must have the necessary goal attributes as defined in the COBIT
5 Information model—objectivity, measurability, understandability, completeness and relevance.
When undertaking an assurance activity, the assurance professional executes the assignment by following a structured
approach, dependent on other enablers, to reach a conclusion on the evaluation of the subject matter.
The process of evaluating the results of audit or assurance testing, after confirmation, to arrive at conclusions and
recommendations can be complex. What appears to be a problem may, in fact, be the effect of a problem, not the cause.
Therefore, it is important for the assurance professional to follow the conclusion process—from confirming facts with key
individuals in the areas being audited to determining root causes. The individual findings can then be used to provide
examples that support higher-level analysis:
• Developing various scenarios leading to potential recommendations
• Selecting an appropriate recommendation that is practical and achievable
• Identifying steps necessary to ensure the buy-in of key stakeholders
Indeed, audit and assurance professionals should obtain an adequate understanding of the subject matter and its business
environment. They should see the bigger picture, link the impact of the issues/findings to the overall organizational strategic
goals and objectives to tell the story behind the story, and communicate valuable insights. Executives are not very interested
in knowing the observations; they need to understand the insights behind the findings.
The basics of a generic assurance process include the four components described here. That is, it defines a scope relating to
the subject matter, it sets suitable criteria based on a sound reference model, it executes the assignment and then it issues a
conclusion to the user.
To address the assurance drivers, COBIT 5 for Assurance:
• Provides guidance on how to use the COBIT 5 framework to establish and sustain assurance provisioning and an
assurance function for the enterprise
• Provides a structured approach on how to provide assurance over enablers (all of COBIT 5’s defined enablers, e.g.,
processes, information, organizational structures)
• Illustrates the structured approach with a number of concrete examples of audit/assurance programs
A major benefit of COBIT 5 for Assurance is that users can rely on the consistency, structure, context and vocabulary of the
COBIT 5 framework and its related products. The COBIT 5 framework addresses GEIT, helping to align business and IT
management and providing a basis for improving IT performance. If assurance professionals base their reviews on the same
framework as that used by business and IT managers who are improving value of IT for the enterprise, everyone involved will
be using a common language, and it will be easier to agree on and implement control improvements as necessary.
This guide can be used by assurance professionals for many different purposes, including:
• Obtaining a view (based on COBIT 5 concepts such as the enablers) on current good practices of assurance
• Learning how to use different COBIT 5 components and related concepts for planning, scoping, executing and reporting
on various types of IT assurance initiatives
• Obtaining a view of the extent to which the value objective of the enterprise—delivering benefits while optimizing risk and
resource use—is achieved
The target audience for COBIT 5 for Assurance is broad and includes:
• Assurance professionals at various governance and management levels
• Boards and audit committees, as stakeholders who commission assurance activities
• Business and IT management, as responsible parties
• External stakeholders, including external auditors, regulators and customers
Volume 3, July 2013
Page 5
Although this guide is aimed primarily at assurance professionals, it may also be of interest to IT professionals and advisors.
COBIT 5 for Assurance may be most useful to experienced professionals, as it is not intended to provide a tutorial on IT
assurance.
Anthony Noble, CISA
Is the New York-based vice president of IT audit for Viacom Inc. He has 30-plus years of IT experience and 20 years of
experience as an IT auditor. He is a member of ISACA’s Knowledge Board and was the chair of the COBIT 5 for Assurance
Guide Task Force.
Come join the discussion! Vince Londini will respond to questions in the discussion area of the
COBIT 5—Use It Effectively topic beginning 22 July 2013.
Risk Assessment Management Using COBIT 5
By Vince Londini, CSPO
As a regional US grocery chain based in a major metropolitan area, FamilyGrocer (name changed) had experienced rapid
growth through new store openings and acquisitions. With a focus on supply-chain efficiencies, FamilyGrocer distributes most
products to its stores through a warehouse facility that also houses key offices and IT resources. In light of the risk associated
with such a consolidated operation, the IT organization received a mandate from its board of directors to formally manage ITrelated risk. The mandate specifically called for an initial high-level assessment of IT organizational risk, drawing largely from
internal expertise. The board also requested that the IT organization demonstrate an ongoing program to manage risk.
The IT organization enjoyed a membership with Info-Tech Research group to access its best-practices research and vendorselection guidance. Engaging with Info-Tech to conduct a COBIT-based operations workshop on risk management was a
natural next step.
®
Info-Tech based the workshop on COBIT 5 because of COBIT 5’s clear and concise framework for capturing key IT
processes (along with process interplay and documentation requirements). COBIT is a trusted framework used by IT auditors
and other IT professionals, particularly in the strategy, security and risk areas of practice.
Throughout the week-long workshop, key members of the IT management team, as well as the chief information officer (CIO),
worked with the facilitator to document their insights and understanding, using COBIT to draw out their knowledge of IT risk
and arrange it in a manner suitable for analysis.
The risk assessment began by examining COBIT 5’s EDM03 and APO12 management practices, from the Evaluate, Direct
and Monitor (EDM) and Align, Plan and Organize (APO) COBIT domains, respectively, and conducting a simple selfassessment to ascertain process capability. The IT organization identified that it had no functioning IT risk management
processes in place and, thus, assigned level zero to its process capability. The team set a goal to achieve level two (managed
process) capability with performance and work-product management attributes achieved. The IT organization leveraged the
Info-Tech facilitator and methodology to conduct high-level team brainstorming with key team members, aimed at identifying
IT risk factors relevant to the client organization.
The team then dug in to brainstorm and document risk events, identifying actors and threat type. A prioritization rubric was
developed and applied to sort the risk events. The team documented (where programs were in progress) or identified (netnew programs) the resources/time needed to mitigate the priority risk factors.
Finally, the team made critical decisions to determine the shape of the IT organization’s ongoing risk management. These
included definitions of roles and responsibilities, management activities, information-gathering activities, and communication
plans.
As the decisions were achieved, each was codified in the relevant program manuals, standard operating procedures,
assessment tools, project requests, and templates for policies and communication.
Volume 3, July 2013
Page 6
The key outputs from this workshop included:
1. A catalog of IT risk events—As described previously, this catalog not only documented risk events but also the highlevel mitigation strategies, initiating IT project requests as needed for items not already on their project calendar.
2. An IT risk management program guide—This document captured critical decisions, including the team’s rubrics for
assessing risk event severity and risk event likelihood. The document described the ongoing IT risk management steering
committee process to which the team committed during the workshop.
3. A presentation to the firm’s board on the IT risk management assessment and program—This presentation
described the progress made during the workshop, highlighted key risk factors and remediation, requested additional
budget, and summarized the ongoing risk management program to the board.
FamilyGrocer emerged from the workshop with all of the process documentation required to begin executing the process the
following Monday, along with the relevant to-do items needed to mitigate the identified technology, people and process gaps.
The following week, the CIO presented the workshop summary to the board, which noted the thoroughness of the initial IT risk
assessment and the ongoing risk management program that was designed during the workshop. Two months later, progress
toward risk remediation remains strong, and IT leaders remain committed to the ongoing risk management program.
Vince Londini, CSPO
Serves as practice leader with Info-Tech Research Group. His recent work includes applying Info-Tech’s COBIT-based
workshop methodologies to help clients in the US and Canada improve their IT risk management, project portfolio
management, change management and service desk processes.
Top 5 Reasons COBIT 5 Training Is Critical
By Mark Thomas
®
When organizations are looking to adopt COBIT 5, many questions arise. Does the enterprise fully understand what
governance and management of enterprise IT (GEIT) means? Do the enterprise’s IT governance professionals know how to
effectively assess the current state of enterprise IT with the objective of scoping what aspects of COBIT 5 to implement? Is
the enterprise able to complete an assessment to determine the capability of a defined process?
COBIT 5 training is an important component in ensuring IT governance professionals have the answers to these questions
and are becoming skilled, competent and proficient COBIT professionals. While many concepts may be familiar to those who
are in the IT space, this evolutionary version incorporates the latest thinking in enterprise governance and management
techniques, and provides globally accepted principles, practices, analytical tools and models. The need for a proper training
program for IT and business professionals on what COBIT is and how it can be used and implemented is critical.
COBIT training is intended for business management, chief executives, IT/IS auditors, internal auditors, information security
and IT practitioners, consultants, and members of IT/IS management who are looking to gain insight into GEIT.
Key Benefits to COBIT 5 Training
Investing in COBIT 5 training is beneficial for the individual as well as for the enterprise. The key benefits include:
1. Increased efficiencies and productivity—COBIT 5 training courses provide the tools and knowledge that are essential
for the successful use of COBIT. By applying what they learn during the course, professionals will better understand what
GEIT means and how it may be applied to their enterprise. In addition, each individual will have a more practical
appreciation of how to apply COBIT 5 to specific business problems, pain points, trigger events and risk scenarios. As a
result, the individual’s roles and responsibilities within the organization as they relate to COBIT will be clearly defined,
resulting in increased productivity and efficiencies in the enterprise.
2. Building trust in and value from information systems—COBIT 5 training courses provide individuals with the key
concepts and principles so that they can begin to uncover how they will need to assess the current state of their enterprise
IT, with the objective of scoping what aspects of COBIT 5 would be appropriate to implement. Trust originates from the
fact that the individual will have carved a reputation for having the tools and skills necessary to implement and assess
COBIT effectively in their enterprise.
3. Setting oneself apart from the others—In a governance role, the professional’s knowledge of COBIT will set him/her
apart from the rest and speaks to his/her level of commitment to the profession. The courses equip the participants with
Volume 3, July 2013
Page 7
unmatched knowledge in the form of concepts, principles and processes. This knowledge is crucial in implementing and
assessing COBIT. In addition, commitment to COBIT training allows the professional to be on the cutting edge of
knowledge and practice.
4. Increased confidence and capability—Individuals can sharpen their capabilities and enhance confidence by
understanding the levels of IT-related risk and making informed decisions to reduce information security incidents.
Delivering this understanding and risk awareness to improve prevention, detection and recovery within an enterprise is
vital. The trained COBIT professional is able to provide tools for organizations to maintain high-quality information to
support business decisions as well as to help the enterprise meet regulatory, statutory or governmental requirements.
5. Credibility—Training organizations and individuals who offer COBIT 5 training and exams must first go through a
meticulous accreditation process. Individuals who attend training with an accredited training provider can be certain they
are receiving the highest quality training. Exams are rigorous, challenging and consistent, and, as a result, individuals can
be proud of their achievement. In addition, employers will have the confidence of knowing their employees’ COBIT
credentials come from a reputable and reliable source.
COBIT 5 Training Paths
There are two training paths:
• The implementation path is for those interested in learning how to apply the COBIT 5 framework and COBIT 5:
Enabling Processes and how to analyze the results. Upon completion of the training and exam, attendees are able to
apply COBIT 5’s good-practice, continual-improvement, life-cycle approach to GEIT, tailored to suit the needs of a specific
enterprise, and implement, or advise an enterprise on implementing, a framework for the governance and management of
enterprise IT using COBIT 5.
• The assessor path is for individuals interested in performing COBIT 5-based assessments using the ISO/IEC 15504
approach. This training provides the main guidance on performing a process capability assessment; the roles,
responsibilities and competencies required; and the key steps, from assessment initiation to assessment results reporting.
®
The assessor course and exam is practitioner-level training that focuses on how to apply the COBIT 5 Process
Assessment Model (PAM) and how to analyze the results. Upon successful completion of the assessor course and exam
and upon meeting specific knowledge requirements, candidates are able to apply to ISACA to be designated as a COBIT
Certified Assessor. This designation is the only globally accepted certification for COBIT assessors.
Both training paths require first passing the COBIT Foundation exam.
COBIT 5 Examinations
The COBIT Foundation exam focuses on robust testing of the knowledge and comprehension of the foundation concepts and
principles of COBIT. The following describes the COBIT Foundation exam format:
• Multiple-choice questions
• 50 questions per exam
• 50 percent (25/50) pass mark
• 40-minute duration
• Closed book
The COBIT Implementation and COBIT Assessor exams are practitioner-level and follow an objective testing environment
(OTE) format.
The COBIT Implementation exam format is as follows:
• Four OTE questions (20 marks per question)
• 150 minutes
®
• Open book (only COBIT 5 Implementation is permitted)
• 50 percent (40/80) pass mark
The COBIT Assessor exam format is as follows:
• Eight OTE questions (10 marks per question)
• 150 minutes
®
®
• Open book (only COBIT 5 Assessor Guide: Using COBIT 5 and COBIT Process Assessment Model (PAM): Using
®
COBIT 5 are permitted)
• 50 percent (40/80) pass mark
Volume 3, July 2013
Page 8
Learn more about taking the COBIT 5 exam, the COBIT 5 training qualification scheme and COBIT 5 training
providers on the ISACA web site.
Mark Thomas
Is president of Escoute Consulting in Olathe, Kansas, USA, and a trainer for ISACA. Thomas is a nationally known ITIL and
COBIT expert with more than 20 years of professional experience. His background spans leadership roles from chief
information officer to management and IT consulting. A consultative trainer and speaker in several disciplines, Thomas
provides training services for major training firms and consulting clients in disciplines including business analysis, ITIL,
COBIT, MOF, ISO 20000, TOGAF and IT strategy.
Come join the discussion! Jorge E. Barrera N. will respond to questions in the discussion area of the
COBIT 5—Use It Effectively topic beginning 22 July 2013.
Evidence Management for the COBIT 5 Assessment Programme
By Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP
1, 2, 3, 4
This article presents a proposal based on the COBIT 5 Assessment Programme
for a quick and consistent start to the
®
®
implementation of COBIT 5 in any IT environment, whether currently based on COBIT 4.1 or not.
5
From a conceptual point of view, COBIT 5 is fascinating for its incorporated principles and its generic model of enablers.
Besides that, its assessment program helps IT leaders provide a business view of IT’s ability to create value and support
enterprise goals through effective IT processes. The results of this program provide a determination of process capability and
can be used for:
• Delivering value to the business. This is viewed as an incremental achievement of strategic goals and a clear
realization of business benefits through effective and innovative use of IT.
• Developing IT process improvement. Periodic measurement of IT processes supports the definition of effective
governance of enterprise IT (GEIT) road maps to drive continuous improvement.
• Measuring the achievement of business goals. Each business goal can be evaluated every time the related GEIT
processes are evaluated. To do so, one can use COBIT 5’s matrix with relationships between business goals and GEIT
processes.
• Generating consistent reports. Reports on the state of the organization’s GEIT are derived from the assessment
®
®
process, which is supported by the COBIT Assessment Programme methodology and tools, using the COBIT Process
®
Assessment Model (PAM): Using COBIT 5 (COBIT 5 PAM) and COBIT 5: Assessor Guide, makes the results
consistent and reliable.
• Ensuring organizational compliance. All kinds of laws and regulations, which can affect the organization’s GEIT, fall
under the definition of inputs of the COBIT 5 framework and PAM for facilitating their compliance.
• Benchmarking. Periodic measurement of GEIT process capabilities allows for constructive and ongoing comparison
between businesses employing the same or equivalent industry best practices.
In addition to these benefits generated by the implementation of the COBIT 5 Assessment Programme, this article adds the
following short-term benefits:
• Substantial improvement of GEIT understanding in practice
• Consolidated understanding of the need to use COBIT 5 as a GEIT umbrella
• Integrated and effective use of GEIT frames and standards through the alignment provided by COBIT 5 as the umbrella
framework
• Appropriate support to the natural complexity of managing all work products related to the COBIT 5 framework and PAM
• Standardized treatment of all former GEIT achievements by transitioning them to a COBIT 5 environment in practice, as a
result of the first assessment
The magnitude of these benefits greatly depends on the mode with which evaluations are made. A measurement can be
Volume 3, July 2013
Page 9
based on personal judgments, judgments based on formal guidance or judgments based on formal guidance with defined
evidence requirements. Measurements based on judgments alone may suffer from a high degree of uncertainty that applies to
the business case and action plans derived from it. These drawbacks can be obviated if assessments based on judgments
®
®
are considered, as posed in COBIT Self-assessment Guide: Using COBIT 5, as a precursor to more rigorous evaluations
based on evidence.
The evidence management model presented in this article therefore responds to a real need; its main parts are:
• Taxonomy of the evidence management
• Relationships between elements of the COBIT 5 PAM
• Alignment and integration of the frameworks for GEIT around COBIT 5
• GEIT artifacts baseline or GEIT evidence baseline
• A method for qualifying the level/degree of evidence
• Life Cycle of Evidence Management Model
The primary objective of this article is to motivate readers to decide to initiate or improve their GEIT implementations using
COBIT 5 as the umbrella framework. Assessing the IT environment of the organization based on PAM and an evidence
management model, such as the one presented in this article, provides a good foundation for this purpose.
Taxonomy of Evidence Management
The predominant entities for managing evidence are grouped as:
• Elements of the COBIT 5 PAM Model: IT process, capability level, attribute, result, work product, generic work product,
generic practice, outcome, content, base practice, output, input and rating level. The definition of these terms is in section
1.7 of the COBIT 5 PAM.
• Derived elements from GEIT frameworks: Called artifacts, the elements of this group can be distinguished in the
following 12 categories:
- Cat01 Inputs from outside of COBIT 5
- Cat02 Outputs or work products of COBIT 5 processes
- Cat03 Outputs of ITIL V3 processes and other aligned frameworks
- Cat04 Outputs of auditing and monitoring frames
- Cat05 Guides and other documents derived from COBIT 5 processes
- Cat06 Guides and other documents derived from aligned frameworks
- Cat07 Guides and other documents derived from monitoring frames
®
- Cat08 Guides derived from COBIT 5 Implementation
- Cat09 Deliverables generated by continual improvement projects
- Cat10 Artifacts related with deliverables
- Cat11 Support bibliography
- Cat12 Guides and other documents derived from the controlled evolution of the proposal presented in this article
(G2eTIC Project)
The elements of these 12 artifact categories generally correspond to frameworks’ specific topic documents. These documents
are related among them. The elements of output categories may also correspond to services or other results.
Frameworks that can be aligned to COBIT 5 by the proposal of this article are ITIL V3, ISO 2700X, The Open Group
Architecture Framework (TOGAF), ArchiMate, the Project Management Body of Knowledge (PMBOK), the Capability Maturity
Model Integration (CMMI), Microsoft Operations Framework (MOF) and ad hoc regulatory frameworks for monitoring and
control.
Relationships Among Elements of COBIT 5 PAM
An analysis of the figures and contents of COBIT 5 PAM results in the following semantic relationships:
• Each process has its specific outcomes.
• Level 1 of each process must be evaluated according to the current state of its outcomes.
• Levels 2 to 5 of each process have two attributes each.
• For levels 2 to 5, each attribute defines several results.
• Each result requires a single generic practice.
• The generic practices apply to levels 2 to 5 of all COBIT processes.
Volume 3, July 2013
Page 10
•
•
•
•
•
The generic practices apply equally to the results of the attributes of the levels of each COBIT process and the generic
work products (GWP).
®
The COBIT 5 PAM base practices are the same governance and management practices defined in COBIT 5: Enabling
Processes.
The COBIT 5 PAM work products are the same outputs that are defined in COBIT 5: Enabling Processes, in which they
are defined for each governance and management practice of the process. The inputs are defined in the same manner.
COBIT 5 PAM relates the outcomes of each process with the base practices and the inputs and outputs of each process.
COBIT 5 PAM relates the GWP of the processes directly with the capability levels of the processes; therefore, it is not
possible to evaluate the capability levels of the attributes based on GWP. However, a useful perspective is to assess
directly the capability level of the process by the GWP concept.
These semantic considerations help in understanding COBIT 5 PAM and are the foundation of its practical application.
Alignment and Integration of GEIT Frameworks Around COBIT 5
Figure 1 presents the role of COBIT 5 as the umbrella framework that defines the conceptual spectrum of GEIT; the other
frameworks/standards operate as contributors. For example, ITIL V3 covers just under 30 percent of GEIT and ISO/IEC
6
27001 covers just under another 15 percent. As figure 1 illustrates, the scopes of ITIL V3 and ISO 27001 are part of the
larger GEIT picture—focusing on them in isolation when addressing the overall GEIT picture raises a risk that relationships
with the rest of the GEIT spectrum cannot be optimally understood or justified. As such, a major part of the GEIT spectrum
would remain outside the respective business case of the organization.
It is necessary to take into account in an integrated way COBIT 5, ITIL V3, ISO/IEC 27001 and other related standards and
Figure 1—COBIT 5 Coverage of Other Standards and Frameworks
Source: ISACA, COBIT 5, 2012, figure 25
Volume 3, July 2013
Page 11
frameworks in implementing GEIT. The following structure of activities and results defines a strategy for alignment and
integration between frameworks:
• Stage one—Domains of COBIT, ITIL V3 books, ISO 27001 domains, core and phases of TOGAF, and domains of other
frameworks
• Stage two—Processes of COBIT, ITIL V3 book chapters, control objectives of ISO 27001, artifact categories of TOGAF
and second stages of other frameworks, such as CMMI constellations
• Stage three—COBIT governance practices, processes/functions/activities of ITIL, ISO 27001 controls and processes of
other frameworks. This stage includes the diagrams, catalogs and TOGAF matrices.
• Stage four—Outputs of COBIT governance practices and of processes of aligned frameworks. This stage also includes
defined activities or tasks of different frameworks.
The proposed alignment and integration of this article, based on COBIT 5 as the umbrella framework and GEIT at the
hypocenter of the third and the fourth stages of the structure, is grounded on the following statements:
• The GEIT implementation unit is the governance or management practice of COBIT 5. In terms of PMBOK, this is to say,
as a general guide, that each work package of IT projects is a governance practice of COBIT 5 to be implemented or
improved with its respective outputs.
• Processes of aligned frameworks are selected for implementation with their own identity when they generate outputs
equivalent to COBIT 5 work products. This amounts to saying that the selected process makes a primary contribution to
GEIT.
• Detailed analysis concluded that all processes, functions and activities of ITIL V3 and 112 controls of ISO/IEC 27001
deserve implementation with proper identity. This represents less than 50 percent of GEIT. The remaining 21 controls of
ISO/IEC 27001 make secondary contributions to GEIT.
• Processes of other frameworks, such as TOGAF, PMBOK, CMMI and MOF, that generate outputs equivalent to the work
products of COBIT 5 and are not covered by ITIL V3 and ISO/IEC 27001 can be implemented with their own identities.
• Governance and management practices of COBIT 5 that are not represented by processes of other frameworks should be
implemented directly with their own identities. This should draw upon the secondary contributions from other frameworks.
• All catalogs, matrices and diagrams proposed by TOGAF are considered elements that must be taken into account by
processes of COBIT 5 and processes of aligned frameworks that are being implemented.
®
• The more than 440 outputs of governance practices defined by COBIT 5 and the 208 outputs defined by COBIT 5 for
Information Security should be treated in an integrated manner by each governance and management practice. This
statement also applies for the outputs defined in the future by forthcoming COBIT 5 guides.
• The GEIT contribution that an element of the aligned framework makes is considered primary when it is sufficient to
optimally support the functionality covered by its scope. Otherwise, this contribution, if it exists, is considered secondary.
An ITIL V3 process is implemented, then oriented, to determine each work product of COBIT 5 that applies to it. The definition
of activities; inputs; outputs; the Responsible, Accountable, Consulted and Informed (RACI) matrix; goals; and metrics should
be guided by the architecture of COBIT 5 processes. However, this definition must use and leverage the ITIL V3 contribution.
The same applies for any ISO 27001 control and any process of aligned frameworks that was chosen for implementation.
The alignment and integration strategy proposed in this article allows, for example, for the initial use of TOGAF by mapping to
the catalogs, matrices and diagrams proposed. These elements are generated from the umbrella of COBIT 5 without the need
to understand the whole philosophy of TOGAF in order to achieve its benefits.
This initial use without preamble of TOGAF opens the doors to TOGAF’s ArchiMate ally, which is a standard that facilitates
the management of elements defining enterprise architectures and the relationships among these elements.
The use of COBIT, ITIL, ISO/IEC standards, TOGAF, ArchiMate and PMBOK elements, as well as those of other GEIT
frameworks and standards, must apply intellectual property rights defined by each of the respective owners.
GEIT Artifacts Baseline or GEIT Evidence Baseline
All elements of GEIT frameworks implemented in the organization—the 12 artifact categories defined previously—constitute
the evidence to support the assessment of COBIT 5 processes at the beginning of the GEIT program and in its entire
existence in the organization.
Registering GEIT artifacts that are operating is performed in the baseline of GEIT artifacts of the organization.
This baseline must support the release management and the distribution management of the organization’s
Volume 3, July 2013
Page 12
artifacts. In the management of this baseline of artifacts, the following four recording aspects are distinguished:
• Single record of artifacts—The use of the alignment and integration structure of frameworks, described previously,
enables the definition of a single identification code structure of artifacts with the following stages of GEIT:
1. Category of artifacts
2. Framework that is valid in the category
3. Domains of the framework
4. Processes for COBIT 5 (or identifier level for other frameworks)
5. Governance or management practices for COBIT 5 (or process for other frameworks)
6. Outputs or work products for COBIT 5 (or process activity for other frameworks)
7. Version of work products or activities
8. Repetitions for outputs for COBIT 5 (or improvements for other frameworks)
•
When the third stage is set to “000,” all lower stages take the same value “000” to indicate that the artifact applies, in a
generalized way, its content to that stage and to the dependent stages.
Relationships of COBIT 5 PAM model elements—These elements were listed in the definition of the taxonomy of the
evidence management described previously. This article emphasizes the following relationships among GEIT work
products and:
- Outcomes of each COBIT 5 process
- Results of attributes at each capability level of the COBIT 5 processes
- Generic work products of each COBIT 5 process
The first two items give support to evidence-based assessments using the COBIT 5 PAM as illustrated in figure 2. The
third item supports the evaluation, also with evidence, of the state of the generic work products of each COBIT 5 process.
Figure 2—Link Between the Evidence Model and PAM
Process’s Outcomes
Evidence per Each
Outcome
Results per Each
Attribute
Evidence per Each
Result
The process attributes provide the measurable
characteristics of process capability.
Volume 3, July 2013
GEIT Artifacts Records
Page 13
•
•
Umbrella-type relationships—Other frameworks/standards correspond based on the governance and management
practices in COBIT 5 that are defined for alignment of the frameworks:
- To and from elements derived from the application of frameworks aligned like ITIL V3, ISO 27001 and others
- To and from elements derived from the application of frameworks oriented to verification and monitoring
- To and from elements derived from the application of regulations specific to the organization and its environment
Several benefits can be realized from this mapping, such as:
- A gap analysis between the implemented GEIT framework and the COBIT 5 framework guidance
- A quality assessment of the implemented artifacts
- A statement of applicability for each governance and management practice, with due justification for its inclusion or
exclusion
- A gap analysis of the implemented governance and management practices and those that are rigorously necessary
- Road maps at the governance and management practices and processes levels of COBIT 5 for the short, medium
and long term
Other relationships for assessment purposes—Relationships among the following fall into this category:
7
- Inputs and outputs defined by the continual improvement life cycle approach for each of its phases
- Enablers defined in COBIT 5
- Enterprise goals and their metrics
- IT-related goals and their metrics
- Goals of COBIT 5 processes and their metrics
- All other metrics proposed by COBIT 5 and adopted by the organization
Therefore, this GEIT artifacts baseline supports the record of all work products related to the COBIT 5 PAM and the
management among them of relationships that are required by its assessment processes.
Method for Qualifying the Level/Degree of Evidence
The method for qualifying the level/degree of evidence is based on
figure 2, which includes figure 4 of the COBIT 5 PAM and the
fragment of the evidence model’s entity relationship diagram with
which it is paired.
Figure 3—Assessment of Level 1
LEVEL
OUTCOME
EVIDENCE
CALCULATION: LEVEL 1 ONLY
From the single record of artifacts described previously, the steps
for evaluating the capability level of each COBIT 5 process
selected for assessment follow.
•
ATTRIBUTE
AS
%
CALCULATION: ATTRIBUTE
%
OUTCOME
ART + JUST
%
OUTCOME
ART + JUST
%
OUTCOME
ART + JUST
%
Step 1: Use the respective Microsoft Excel spreadsheets
®
provided in the COBIT 5 Implementation tool kit and customize
them with the changes illustrated in figures 3 and 4.
Figure 4—Assessment of Levels 2 to 5
•
Figure 3 illustrates the macro diagram of the matrix used
for the evaluation of specific outcomes of each COBIT 5
process.
Figure 4 illustrates the macro diagram of the matrix used
for the assessment of levels 2 to 5 of the process. For a
record of the evidence of every outcome and every result,
one needs to insert two columns with the following
registration purposes:
- ART: For codes of artifacts that represent evaluation
criteria. This column of figure 3 corresponds to the
“Evidence per Each Outcome” entity of figure 2. In
figure 4, this column corresponds to the “Evidence per
Each Result” entity of figure 2.
- JUST: For justification of the assigned percent
Step 2: For each outcome, one must identify the documentary
artifacts that represent it in reality and therefore constitute its
Volume 3, July 2013
LEVEL
ATTRIBUTE
RESULTS
EVIDENCE
AS
%
CALCULATION: LEVEL
CALCULATION: ATTRIBUTE
%
RESULT
ART + JUST
%
RESULT
ART + JUST
%
CALCULATION: ATTRIBUTE
%
RESULT
ART + JUST
%
RESULT
ART + JUST
%
CALCULATION: LEVEL
%
Page 14
•
•
evidence. Evaluate the percent of quality and completeness
that this support provides to the outcome. To do so, enter the
respective codes of artifacts in the ART column, analyze the
evidence that these documents provide to the outcome, and
then enter in the AS column the percent value that one assigns
to the outcome. After that, enter in the JUST column the
concrete justification based on evidence about the assigned
percent value. The Excel sheet should calculate the average
percent corresponding to attribute and level 1. The allocation
of the percent should be in accordance with the rating levels
that are indicated in figure 4 of the COBIT 5 PAM.
Step 3: For each attribute’s result of the process, one must
proceed equivalently as done in step 2. The Excel spreadsheet
shall provide the calculations of the average percent
corresponding to the attributes of levels 2 to 5 of the process,
and it shall calculate the average percent of these levels, as
well.
Step 4: For allocating the process capability level, one should
proceed as is indicated in Figure 5—Levels and Necessary
®
®
Ratings of COBIT Self-assessment Guide: Using COBIT 5.
As an additional advantage of semantic relationships of the COBIT
5 PAM, which are described previously, further evaluation of the 25 capability levels based on the GWP is proposed. Figures 5 and
6 illustrate the macro diagrams of the respective matrices.
In columns marked “ART + JUST” in figure 5, one should proceed
in an equivalent manner as one did for these columns in figure 3.
The Excel sheet of figure 5 should calculate the percent value for
each GWP. One must bring all GWPs’ percent values from figure
5 to figure 6. The Excel sheet of figure 6 will calculate the percent
values for levels 2 to 5.
One should note that the calculation of average percent by the
Excel sheet in figure 6 for each capability level does not consider
attributes. The outcome of this assessment should be consistent
with the assessment of levels 2 to 5, as shown in figure 4.
Figure 5—Assessment of GWPs
GWP
CONTENT
EVIDENCE
AS
%
CALCULATION: GWP
CONTENT
ART + JUST
%
CONTENT
ART + JUST
%
%
CALCULATION: GWP
CONTENT
ART + JUST
%
CONTENT
ART + JUST
%
Figure 6—Direct Assessment of Levels 2 to 5
LEVEL
GWP
CALCULATION: LEVEL
AS
%
GWP
%
GWP
%
CALCULATION: LEVEL
%
GWP
%
GWP
%
Life Cycle of Evidence Management Model
The following steps are proposed as part of the actual and effective beginning of GEIT implementation in an organization:
1. Inventory current GEIT documentation—It employs a matrix with the following columns: ID code of the document,
version, name, description, format, owner area, responsible person, stakeholders and frameworks. The inventory should
cover all actual documents related with IT management in the organization, even those not formally authorized but in
operation. Special care must be taken with artifacts related with documents that come from outside of COBIT 5 and are
®
defined in COBIT 5 for Information Security.
2. Categorize documents—Each document identified in the inventory must be mapped to the 12 categories of artifacts of
frameworks proposed in this article. The same matrix from step 1 can be used, adding 12 columns, or a new and specific
matrix can be developed for this purpose.
3. Map COBIT 5 processes—Several relationships among documents or artifacts and the GEIT processes should be
®
documented in a matrix. This exercise reinforces the knowledge of COBIT 5 and must be supported by the COBIT 5
Enabling Processes guide.
®
®
4. Complete nonrigorous evaluation of COBIT 5 processes—COBIT Assessment Programme Tool Kit: Using COBIT
5 should be used to evaluate COBIT 5 processes and the matrices of the previous steps. The respective assessment
reports should be prepared and distributed as established by the organization in order to gain approbation and
encouragement for the next steps.
5. Map outputs to the documents—The outputs or work products of COBIT 5 processes could be taken from figure 7 and
Volume 3, July 2013
Page 15
6.
7.
8.
9.
10.
appendix B.2 of the COBIT 5 PAM, but it is more useful to pick them from the level of governance practice in COBIT 5:
®
Enabling Processes and COBIT 5 for Information Security. The work products are located in the rows of the matrix to be
used for mapping, and for each of them, the related documents should be identified. Several benefits can be derived from
this mapping, such as those enumerated previously in this article regarding the umbrella type relationship.
Complete first version of the baseline of GEIT artifacts—The categories of artifacts CAT02, CAT03 and CAT04
represent work products. All documents recorded in the inventory of the 12 categories defined should be modularized in
terms of work products, either by direct conversion or by mapping matrices. This exercise does not involve redoing, but
decomposing into parts the artifacts that are in operation. It can be done in parallel with step 5. As part of the exercise, it
also standardizes and allocates codes to the modularized artifacts. This new registration of standardized artifacts and
their relationships is the first version of the baseline of GEIT artifacts.
Complete standard evaluation using evidence support—The baseline of GEIT artifacts constitutes the adequate
evidence for the COBIT 5 Assessment Programme. The method outlined previously in this article for each selected
process to be evaluated should be followed. The respective assessment reports should be prepared and distributed as
established by the organization. These reports can then be categorized and recorded in the baseline of GEIT artifacts
because they are, by themselves, implementation evidence of some work products of COBIT 5 processes.
Complete business case and project development—Evaluations proposed in this article support the precise definition
of the GEIT business case and its respective definition of projects. See sample of business cases in COBIT 5
Implementation.
Update the baseline of GEIT artifacts—This baseline is updated by:
• Laws and other regulations that affect the GEIT of the organization
• The operation of GEIT every day. This refers to categories of artifacts:
- Outputs of COBIT 5 processes that are in operation
- Outputs of aligned frameworks that are in operation
- Outputs from monitoring and control frameworks
• Results from GEIT projects, always oriented to continual improvement. They are artifacts of the other nine categories.
Return to step 7.
This sequence of steps corresponds to an evidence management perspective in measuring capability levels of processes.
The implementation of this life cycle should be adapted depending on the orientation that each organization takes from
®
®
®
COBIT 5 Implementation and COBIT Assessor Guide: Using COBIT 5.
®
A self-learning exercise is suggested in the business case sample presented in COBIT 5 Implementation, and the evaluation
®
of GEIT processes should be supported by the tools defined in the appendices of COBIT Assessor Guide and its critical
success factors.
Expectations and Conclusions
The potential of mappings that are supported by the baseline of GEIT artifacts opens the doors to an effective implementation,
as it generates knowledge and confidence to stakeholders and, thus, facilitates the obtaining of necessary management
support.
The mappings from artifacts to COBIT 5 processes, combined with the mapping of IT process goals to IT-related goals and on
to enterprise goals, provide the necessary support to make bottom-up assessments on the cascade of COBIT 5 goals. This
mapping supports a positive effect on the management of the GEIT balanced scorecard of the organization—linking IT
process capability improvement opportunities directly with enterprise goals.
It is estimated that the first record with total quality of the GEIT evidence and an initial evaluation of COBIT 5 processes may
take no more than three months, depending on the size and location of the organization, the defined scope, and the resources
allocated to this purpose.
Acknowledgment
The content of this article is the result of work done by the G2eTIC Project, which was conceived with an academic and
business orientation. References to documents of COBIT 5 and the use of its content are made in accordance with the
®
respective license agreement between ISACA and the author of this article. G2eTIC has the conceptual bracket,
methodological tools and complementary tools corresponding to the proposal presented in this article.
Volume 3, July 2013
Page 16
Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP
Is an independent consultant in governance and management of IT in the enterprise and author of the Project G2eTIC, which
develops a set of seminars and tools for practical learning and integrated use of COBIT 5. Barrera can be reached at
jorgeebarrera@yahoo.com.
Endnotes
1
ISACA, COBIT® Process Assessment Model (PAM): Using COBIT® 5, 2012
2
ISACA, COBIT® Assessor Guide: Using COBIT® 5, 2012
3
ISACA, COBIT® Self-assessment Guide: Using COBIT® 5, 2012
4
ISACA, COBIT® Assessment Programme Tool Kit: Using COBIT® 5, 2012
5
ISACA, COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, 2012
6
Ibid.
7
ISACA, COBIT® 5 Implementation, 2012
COBIT Focus is published by ISACA. Opinions
expressed in COBIT Focus represent the views
of the authors. They may differ from policies and
official statements of ISACA and its committees,
and from opinions endorsed by authors,
employers or the editors of COBIT Focus.
COBIT Focus does not attest to the originality of
authors’ content.
© ISACA. All rights reserved.
Instructors are permitted to photocopy isolated
articles for noncommercial classroom use without
fee. For other copying, reprint or republication,
permission must be obtained in writing from the
association. Please contact Julia Fullerton at
jfullerton@isaca.org.
Framework Committee
Steven A. Babb, CGEIT, CRISC, UK, chair
David Cau, ITIL, MSP, Prince2, France
Sushil Chatterji, CGEIT, Singapore
Frank Cindrich, CGEIT, CIPP, CIPP/G, USA
Joanne De Vito De Palma, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria
Katherine McIntosh, CISA, USA
Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil
Paras Shah, CISA, CGEIT, CRISC, CA, Australia
Editorial Content
Comments regarding the editorial content may be directed to
Jennifer Hajigeorgiou, senior editorial manager, at
jhajigeorgiou@isaca.org.
©2013 ISACA. All rights reserved.
Volume 3, July 2013
Page 17