jump to navigation

CoBIT – General Introduction February 16, 2010

Posted by Ausaf Ahmad in Working in IT.
Tags:
trackback

COBIT helps the organization mold the IT processes to the business needs and goals of the organization. It helps the organization to establish a start and an end point; that is, determining where the organization is now and where the organization wants to be. Knowing the goals, IT can then activate business objectives.

COBIT also provides an effective mechanism for managing and measuring progress in implementing ITIL processes by helping the organization understand its goals and measure progress in achieving them. In addition, COBIT provides a mechanism for measuring improvement, and continual improvement.
Specifically, COBIT provides management directions for getting the enterprise’s information and related processes under control, monitoring achievement of organizational goals, monitoring performance within each IT process, and benchmarking organizational achievement. These directions include:

 Assurance Guide — Provides an audit guideline for each of the high-level control objectives. The guideline permits review of IT processes against the detailed control objectives listed under the high-level control objective, providing management assurance and indicating potential areas of improvement.

 Maturity models — Helps the organization determine where it is today, and where it wants to be.

 Critical success factors — Presents the most important management-oriented implementation guidelines to achieve control over and within IT processes. In COBIT, the Key Management Practices are the main management practices that the process owner needs to perform to achieve process goals.

 Key goal indicators — Provides measures that tell management (after the fact) whether an IT process has achieved its business requirements, usually expressed in terms of information criteria.

 Key performance indicators — Defines measures that determine how well the IT process is performing in enabling the goal to be reached. They are lead indicators of whether a goal will likely be reached or not, and are good indicators of capabilities, practices, and skills. They measure the activity goals, which are the actions the process owner must take to achieve effective process performance.

We can divide the COBIT into 4 different domains which tell us that what we can offer to the organization

1. Plan and Organize
2. Acquire and Implementation
3. Deliver and Support
4. Monitor and Evaluate

Now we can further discuss in detail about the above mentioned points

Plan and Organize:

• Provide tools to automatically discover the current IT infrastructure and Configuration Items (CI) likes of IT services, hardware, software, users, relationships, etc. The services likes of Help desk solutions, Asset Management, User Authorization Database. etc which currently we are not following to keep a particular database for them and software for implementing them
• Include asset and financial information about the costs associated with each CI. For example raising C.E.R. we have to fill up the form and in it we get approvals for it from the higher management. It all based on the paper work what we can do is that by analyzing those facts which are involved in it and get the system be running on our Enterprise Solutions(Paperless Environment).
• Allow for identification of risk through the relationships among critical IT services and CIs, and correlation with past incidents and problems .For example the risks being involved in providing Internet access to the end users which things are necessary for making sure of those facts that our network will be secured , which products(hardware) we need in order to implement them, those practices can be adapt in analyzing those facts and figures
• Support the management of IT resources, such as staff, budgets, and hardware.

Acquire and Implementation

• Manage the full lifecycle of IT asset procurement, placement, configuration, allocation, maintenance, and retirement. For example these days we do not know which hardware is purchased (few of those from some quite few years we are maintaining the data when the hardware is purchased) but we do not know under which circumstances why we purchased it, how much maintenance costs has been put on it etc. etc.
• Capture the costs associated with the entire lifecycle of IT assets (hardware and software)
• Ensure that all pertinent information related to the IT assets is maintained in a database
• Track the changes from the moment they are proposed, through the implementation in the live environment, to the evaluation of the end result, and also provide us the ability to track the change requests through stages of review, authorization and implementation with routing and approval path determined by various criteria. For example the implementation of Payroll application on BaaN, the system was first running on the Windows Based environment and on SQL server database, there were many problems while running the application based on Windows environment , the suggestion put on the application on BaaN – Live (Change Request), but we do not know when this suggestion for change had been put up and by whom, when we get the approval for it and how the system going to be designed by designated rules, who are the concern person during its implementation and what we can do in order to enhance our capabilities for its changing. We do not have the track record that what changes have been made during the implementation of application so that we can compare the old application with the newly designed.

• Permit determination of technical and business impact, impact on other services, the effect of not implementing the change and the resources required, and also facilitate gathering changes from all stake holders into the change management database. It also helps us in integrating the help desk solution to automate the raising of the incidents.

Deliver and Support

• Provide support for the various security disciplines as by Global recognized Security Standards, Centralized management of identities and access privileges, also enable us in the bi-directional provisioning of various security target systems. For example the ISO 27001 which tells us about the security control objectives and recommends a range of specific security controls by following it in conjunction with the CoBIT we can implement the Information Security Management System in our organization.

• Enable us in managing self service password management and password synchronization procedures, and also provide us the intrusion detection from external and internal sources, timely provisioning of security patches and settings and making us ensure how to take corrective actions in response to security policy violations for example the user the can get his login password change by them selves if we can use the such type of systems and policies which enables to maintain at one place. Firewalls can be used to protect the systems from intrusion.

• Employ certified best practices and IT process alignment to consolidate, log, track, manage, and escalate all types of incidents and problems from users , third- party organizations and other IT applications. For example we can deploy the help desk solution in here which can tell us the related IT problems whether it can hardware related to software related or ERP related.

• Provide an integrated, searchable knowledge base of common solutions and workarounds to known errors for example we can deploy the knowledge base management system based upon the facts and knowledge we own from our previous experiences and we can adapt these practices later on for the known errors and timely solved them.

• Log historical changes that are available for audit purposes, and also provides us the standard and easily configured reports that allow analysis of standards compliance, security audits and financial cost and recovery. For example we can enable audit logs on the operating systems’ level that like of when the user logged in last time.

• Enable management of enterprise database application and platform consistently and also provide us automation to support the data change management, performance tuning, database security management, backup and recovery and database archiving.

Monitor and Evaluate
• All IT Processes must contain logs, audit trails and reports to assist in evaluating and monitoring IT Performance which can only be adapt with the help of some sort of database system and in it by defining the write parameters and stuff.

• Provide automation for continual evaluation of internal control effectiveness.

• Provide support for IT Governance best practices likes of ITIL, CGEIT, ISO27001 etc etc.

Advertisement

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.