An Introduction to IT Management with COBIT 2019

An Introduction to IT Management with
COBIT 2019
prof. dr. Gregor Polančič ©
November 2021

Agenda
• Introduction
• IT Management and IT Governance
• The role of frameworks in EGIT
• COBIT 2019 Basics
• COBIT 2019 Principles
• COBIT 2019 Concepts
• COBIT 2019 Core Structure

Assets in IT
IT Management
EGIT with COBIT 2019

Introduction
An introduction to IT Management with COBIT 2019

What do you see on the picture?
5
A business unit, i.e., a company
Holistic vs. elementary view

What is the focal objective of a company?
6
Profit

How does a company achieves profit?
7
Profit
Goods /
Services
Value creation Generate returns

What does a company need to create value?
8
Resources

What is money?
9
This means we can
buy resources.

Can we buy Everything?
10
“There are some things money can't buy /…/”

A company can’t buy …
11
Capabilities
Capabilities need to be established and evolved.

Are people resources or capabilities?
We can hire a
person.
A person has to
be trained and
educated.
Both

Are resources and capabilities related?
13
Capabilities coordinate, control and deploy resources.

Capabilities and Resources are Assets
• Something of either tangible or intangible value that is worth
protecting, including people, information, infrastructure, finances
and reputation.

15
B. Orand, Foundations of IT Service Management: The ITIL Foundations
Course in a Book, 3rd ed. CreateSpace Independent Publishing
Platform, 2011.

IT Management and Governance

What is IT Management?
• Planning, building, running and monitoring of IT activities in
alignment with the direction set by the governance body to achieve
the enterprise objectives.
Governance body
Enterpise
goals

Business – IT relationship
• Traditionally business and economy
were separated from information
technology.
• Governing boards (boards of directors)
and senior management could delegate,
ignore or avoid I&T-related decisions.
• In most sectors and industries, such
attitudes are now ill-advised.
• In the light of digital transformation,
information and technology (I&T)
have become crucial in the support,
sustainability and growth of
enterprises.
Source: COBIT® 2019 Framework: Introduction and Methodology, ISBN 978-1-60420-763-7
Joined business and IT as an integral
part of a modern enterprise.
IT BUSINESS

The Role of IT in Business and Economics
Provide support for
basic enterprise
services and
stabilize operations.
Support
Enable business and
partnership,
consolidate
management
information and
integrate process
orientation.
Improve
Provide inter-
enterprise solutions,
assure business
growth, flexibility
and business
intelligence.
Innovate
Efficiency Effectiveness Transformation

The impact of IT on Business and Economics
• Stakeholder value creation is often
driven by a high degree of digitization
in new business models, efficient
processes, successful innovation, etc.
• Modern organizations (i.e., digitized
enterprises) are increasingly
dependent on I&T for survival and
growth.
IT
Performance
Business / IT
alignment
Enterprise
performance

https://venture-leap.com/category/digital-transformation/succesful-digital-transformation/

What is IT Governance?
• The responsibility of executives and the board of directors.
• Consists of the leadership, organizational structures and processes that ensure
that the enterprise’s IT sustains and extends the enterprise's strategies and
objectives.
Governance body
CIO
Enterprise goals
CxO

Enterprise Governance of Information and
Technology - EGIT
• EGIT is an integral part of corporate
governance.
• EGIT consists of governance and
management activities.
• EGIT is complex and multifaceted.
• There is no silver bullet (i.e., ideal way) to
design, implement and maintain effective
EGIT within an organization

Benefits of Effective EGIT
• Benefits realization assures the
creation of value for the enterprise
through I&T.
• Risk optimization entails addressing
the business risk associated with the
use, ownership, operation,
involvement, influence and adoption
of I&T within an enterprise.
• Resource optimization ensures that
the appropriate capabilities are in
place to execute the strategic plan and
sufficient, appropriate and effective
resources are provided.
Source: Information Systems Audit and Control Association, Ur., COBIT
5: a business framework for the governance and management of
enterprise IT: an ISACA® framework. Rolling Meadows, Ill: ISACA, 2012.

The role of EGIT frameworks

IT needs proper
management and
governance

How to manage and govern IT?
„No institution can possibly survive if it needs geniuses or supermen to manage it. It
must be organized in such a way as to be able to get along under a leadership
composed of average human beings.“ [Peter F. Drucker]
Superman Trained and educated
CxO

Modern management approaches are based on
best practices – based EGIT frameworks.
„IT is complex, IT management doesn‘ t need to be!“
Solution for IT management and governance

What is the role of IT frameworks?
Checklists Best practices

Benefits of IT Management frameworks
• They are time effective.
• They provide structure.
• They follow best practices.
• Knowledge can be shared.
• They are auditable.

Introducing „state of the art“ EGIT framework

COBIT 2019 Basics

COBIT – a framework for EGIT
• Over the years, best-practice frameworks have been developed and promoted to
assist in the process of understanding, designing and implementing EGIT.
• COBIT 2019 builds on and integrates more than 25 years of development in this
field, not only incorporating new insights from science, but also operationalizing
these insights as practices.
• From its foundation in the IT audit community, COBIT has developed into a
broader and more comprehensive I&T governance and management framework
and continues to establish itself as a generally accepted framework for I&T
governance.

ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

Facts about COBIT 2019
What IS COBIT
• COBIT is a framework for the GEIT,
aimed at the whole enterprise.
• COBIT defines the components to
build and sustain a governance
system.
• COBIT defines the design factors that
should be considered by the
enterprise to build a best-fit
governance system.
What IS NOT COBIT
• COBIT is not a full description of the
whole IT environment of an
enterprise.
• COBIT is not a framework to organize
business processes.
• COBIT is not an IT/technical
framework to manage all technology.
• COBIT does not make or prescribe any
IT-related decisions.

COBIT Audience – Internal stakeholders
• Boards Provides insights on how to get value from the use of I&T and
explains relevant board responsibilities.
• Executive Management Provides guidance on how to organize and
monitor performance of I&T across the enterprise.
• Business Managers Helps to understand how to obtain the I&T solutions
enterprises require and how best to exploit new technology for new
strategic opportunities.
• IT Managers Provides guidance on how best to build and structure the IT
department, manage performance of IT, run an efficient and effective IT
operation, control IT costs, align IT strategy to business priorities, etc.
• Assurance Providers Helps to manage dependency on external service
providers, get assurance over IT, and ensure the existence of an effective
and efficient system of internal controls.
• Risk Management Helps to ensure the identification and management of
all IT-related risk.

COBIT Audience – External stakeholders
• Regulators Helps to ensure the enterprise is compliant with applicable
rules and regulations and has the right governance system in place to
manage and sustain compliance.
• Business Partners Helps to ensure that a business partner’s operations
are secure, reliable and compliant with applicable rules and
regulations.
• IT Vendors Helps to ensure that an IT vendor’s operations are secure,
reliable and compliant with applicable rules and regulations.

Sample COBIT adoptions in Europe
• The benefits of COBIT implementation have been achieved by public sector and
governmental agencies across Europe. The table below lists where COBIT is used
within the regulatory bodies throughout Europe.
• Greece: COBIT framework was recognized and standards based on COBIT were
adopted by the banking industry.
• Lithuania: COBIT is being used by the National Audit Office of the Lithuanian
Republic for auditing the IT activities in the government sector. COBIT was translated
into Lithuanian as only material in the state language can be used in state-approved
methodologies. COBIT is used as the official material for governmental organizations,
and private audit and consulting companies, especially if they have business relations
with government institutions.
• Poland: COBIT is recognized by the Inspector General of Poland.
• Romania: COBIT has been adopted for internal use within the public sector and
government agencies.
Source: https://www.itgovernance.eu/sv-se/cobit-adoption-in-europe-se

COBIT 2019 Principles

„A principle is a fundamental truth or proposition that serves as the foundation for a system
of belief or behavior or for a chain of reasoning.“ [lexico.com]

Overview of COBIT 2019 Principles

Six Principles for a Governance System

Provide Stakeholder Value
• Each enterprise needs a governance
system to satisfy stakeholder needs
and to generate value from the use of
I&T.
• Value reflects a balance among
benefits, risk and resources, and
enterprises need an actionable
strategy and governance system to
realize this value.

Holistic Approach
• A governance system for
enterprise I&T is built from
several components that can be
of different types and that work
together in a holistic way.
Source: https://www.businessbeam.com/blog/cobit-2019/

Dynamic Governance System
• A governance system should be
dynamic.
• This means that each time one or
more of the design factors are
changed (e.g., a change in strategy or
technology), the impact of these
changes on the EGIT system must be
considered.
• A dynamic view of EGIT will lead
toward a viable and future-proof EGIT
system.
The dynamic priciple is evident from
the COBIT 2019 logo

Governance Distinct from Management
• A governance system should
clearly distinguish between
governance and management
activities and structures.
Source: White, Barbara. (2008). IT GOVERNANCE, IT SERVICE MANAGEMENT
AND THE ORGANIZING ROLE OF THE INFORMATION TECHNOLOGY
INFRASTRUCTURE LIBRARY (ITIL). Issues in Information Systems. 9.

Tailored to Enterprise Needs
• A governance system should be
tailored to the enterprise’s
needs using a set of design
factors as parameters to
customize and prioritize the
governance system components.

End-to-End Governance System
• A governance system should
cover the enterprise end to end,
focusing not only on the IT
function but on all technology
and information processing the
enterprise puts in place to
achieve its goals, regardless
where the processing is located
in the enterprise
Enterprise
End-to-End
Governance

Three Principles for a Governance Framework

Based on Conceptual Model
• A governance framework should
be based on a conceptual
model, identifying the key
components and relationships
among components, to
maximize consistency and allow
automation.
COBIT 2019 Conceptual Model, acquired with
reversed engineering

Open and Flexible
be open and flexible. It should
allow the addition of new
content and the ability to
address new issues in the most
flexible way, while maintaining
integrity and consistency.

Aligned to Major Standards
align to relevant major related
standards, frameworks and
regulations.
Source: https://grcmusings.com/a-beginners-guide-to-information-security-
frameworks/

Referenced standards in COBIT 2019
• International Organization for Standardization /
International Electrotechnical Commission (ISO/IEC)
standards
• ISO/IEC 20000-1:2011(E)
• ISO/IEC 27001:2013/Cor.2:2015(E)
• ISO/IEC 27002:2013/Cor.2:2015(E)
• ISO/IEC 27004:2016(E)
• ISO/IEC 27005:2011(E)
• ISO/IEC 38500:2015(E)
• ISO/IEC 38502:2017(E)
• Information Technology Infrastructure Library (ITIL®) v3,
2011
• Institute of Internal Auditors® (IIA®), “Core
Principles for the Professional Practice of Internal
Auditing”
• King IV Report on Corporate Governance™, 2016
• King IV Report on Corporate Governance™, 2016
• CIS® Center for Internet Security®, The CIS Critical
Security Controls for Effective Cyber Defense, Version 6.1,
August 2016
• CMMI® Cybermaturity Platform, 2018
• CMMI® Data Management Maturity (DMM)SM model,
2014
• Committee of Sponsoring Organizations (COSO)
Enterprise Risk Management (ERM) Framework, June
2017
• European Committee for Standardization (CEN), e-
Competence Framework (e-CF) - A common European
Framework for ICT Professionals in all industry sectors -
Part 1: Framework, EN 16234-1:2016
• HITRUST® Common Security Framework, version 9,
September 2017
• Information Security Forum (ISF), The Standard of Good
Practice for Information Security 2016

Referenced standards in COBIT 2019
• US National Institute of Standards and Technology
(NIST) standards
• Framework for Improving Critical Infrastructure
Cybersecurity V1.1, April 2018
• Special Publication 800-37, Revision 2 (Draft), May 2018
• Special Publication 800-53, Revision 5 (Draft), August 2017
• A Guide to the Project Management Body of
Knowledge: PMBOK® Guide Sixth Edition, 2017
• PROSCI® 3-Phase Change Management Process
• Scaled Agile Framework for Lean Enterprises (SAFe®)
• Skills Framework for the Information Age (SFIA®) V6,
2015
• The Open Group IT4IT® Reference Architecture,
version 2.0
• The Open Group Standard TOGAF® version 9.2, 2018

COBIT 2019 Concepts

„/…/ concepts are entities that exist in the mind (mental objects)“ [Wikipedia]
Tangible entities Mental entities

COBIT 2019 – Products family / Publications
• COBIT® 2019 Framework: Introduction and Methodology
• Presentation of basic COBIT concepts.
• COBIT® 2019 Framework: Governance and Management
Objectives
• 40 basic management and governance goals and associated
processes.
• COBIT® 2019 Design Guide: Designing an Information and
Technology Governance Solution
• Design factors, including the process of designing a
customized management system for a specific organization.
• COBIT® 2019 Implementation Guide: Implementing and
Optimizing an Information and Technology Governance
Solution.
• IT Management System Implementation Guidelines. Based on
COBI5.

Comparing COBIT 2019 with COBIT5

Management and Governance Objectives
• If we want IT to contribute to the
goals of the company, it is
necessary to meet several goals of
their management and leadership.
• The objective of management or
governance always refers to:
• 1 process (with identical or similar
name).
• Several related components that help
achieve the goal.
• 40 objectives of the management
and governance of EGIT.

Governance and Management Domains
• Governance objectives are grouped in the Evaluate, Direct and
Monitor (EDM) domain.
• Management objectives are grouped into four domains:
• Align, Plan and Organize (APO) addresses the overall organization, strategy
and supporting activities for I&T.
• Build, Acquire and Implement (BAI) treats the definition, acquisition and
implementation of I&T solutions and their integration in business processes.
• Deliver, Service and Support (DSS) addresses the operational delivery and
support of I&T services, including security.
• Monitor, Evaluate and Assess (MEA) addresses performance monitoring and
conformance of I&T with internal performance targets, internal control
objectives and external requirements.

7 Components of the Governance System
• Components are factors that,
individually and collectively,
contribute to the good operations of
the enterprise’s governance system
over I&T.
• Components interact with each
other, resulting in a holistic
governance system for I&T.
• Components can be of different
types. The most familiar are
processes.

1. Processes
• Processes describe an organized
set of practices and activities to
achieve certain objectives and
produce a set of outputs that
support achievement of overall
IT-related goals.
Management
objective
Process
objective

2. Organizational structures
• Organizational structures are the
key decision-making entities in
an enterprise.

3. Principles, policies and frameworks
• Principles, policies and frameworks
translate desired behavior into
practical guidance for day-to-day
management.
• E.g., „governance knowledge use
policy“

4. Information
• Information is pervasive throughout
any organization and includes all
information produced and used by the
enterprise.
• COBIT focuses on the information
required for the effective functioning
of the governance system of the
enterprise.

5. Culture, ethics and behavior
• Culture, ethics and behavior of
individuals and of the enterprise
are often underestimated as
factors in the success of
governance and management
activities.
• Examples:
• „Embed a knowledge-sharing culture
in the enterprise.“
• „Proactively communicate the value
of knowledge to encourage
knowledge creation, use, reuse and
sharing.“

6. People, skills and competencies
• People, skills and competencies
are required for good decisions,
execution of corrective action
and successful completion of all
activities.
Vir: https://www.wikijob.co.uk/content/interview-advice/competencies/key-competencies

7. Services, infrastructure and applications
• Services, infrastructure and
applications include the
infrastructure, technology and
applications that provide the
enterprise with the governance
system for I&T processing.
Vir: https://talks.navixy.com/reviews/infrastructure-as-a-service-and-telematics/

Focus Areas
• A focus area describes a certain
governance topic, domain or issue
that can be addressed by a
collection of governance and
management objectives and their
components.
• Examples of focus areas include
• small and medium enterprises,
• cybersecurity,
• digital transformation,
• cloud computing,
• privacy,
• DevOps.

11 Design factors
1. The strategy of the company.
2. Company goals that support the company strategy.
3. The IT risk profile of the company to which the
company is exposed.
4. I&T risks or matters that have already materialized.
5. The landscape of threats in which the company
operates.
6. Compliance requirements to be met by the
company.
7. The role of IT in the company.
8. Company acquisition model (outsource, cloud,
insource, hybrid,…)
9. IT implementation method (agile, DevOps,
traditional, hybrid)
10. Technology adoption strategy
11. Company size
Design factors are factors that can
influence the design of an enterprise’s
governance system and position it for
success in the use of I&T

Goals cascade
• Stakeholder drivers and needs
• 13 enterprise goals
• 13 alignment goals
(„Business – IT alignment)
• 40 governance and management
objectives
• Objectives
• BSC dimensions: finance, customers,
internally, growth
• Examples of metrics
COBIT 2019

Mapping Table: Enterprise Goals—Alignment
Goals

Mapping Table: Alignment Goals—Governance
and Management Objectives

… Mapping Table: Alignment Goals—Governance
and Management Objectives

COBIT 2019 Core Structure

COBIT 2019 Core Structure
The core structure
specifies how COBIT
2019 concepts are
interrelated and
presented.

COBIT 2019 – Metamodel
• The meta-model specifies the
main concepts of COBIT 2019
and their interrelationships.
• The metamodel is specified in
Unified Modeling Language
(UML) Class Diagrams Notation.
J. Rumbaugh, I. Jacobson, in G. Booch, Unified Modeling Language
Reference Manual, The (2Nd Edition). Pearson Higher Education, 2004.

COBIT
2019
–
Metamodel
(based
on
reversed
engineering)

Presentation of COBIT 2019 Concepts

Organization of objectives
• 40 management objectives
• Evaluate, Direct and Monitor (EDO)
• Align, Plan and Organize (APO)
• Build, Acquire and Implement (BAI)
• Deliver, Service and Support (DSS)
• Monitor, Evaluate and Assess (MEA)
• Information about specific objective
• Generic information
• Domain
• Focus area
• Name of objective
• Description
• Purpose
A
B
C
D E
F
G

High-level information detailed for each
objective

Goals Cascade
• Each governance or management objective supports the achievement
of alignment goals that are related to larger enterprise goals.

Alignment goals
• AG01: I&T compliance and support for business compliance with external laws and regulations
• AG02: Managed I&T-related risk
• AG03: Realized benefits from I&T-enabled investments and services portfolio
• AG04: Quality of technology-related financial information
• AG05: Delivery of I&T services in line with business requirements
• AG06: Agility to turn business requirements into operational solutions
• AG07: Security of information, processing infrastructure and applications, and privacy
• AG08: Enabling and supporting business processes by integrating applications and technology
• AG09: Delivering programs on time, on budget and meeting requirements and quality standards
• AG10: Quality of I&T management information
• AG11: I&T compliance with internal policies
• AG12: Competent and motivated staff with mutual understanding of technology and business
• AG13: Knowledge, expertise and initiatives for business innovation

Metrics

Component: A. Proces
• Each governance and management objective includes several process practices.
• Each process has one or more activities.

Component: A. Proces
• A capability level is assigned to
all process activities, enabling
clear definition of processes at
different capability levels.
• A process reaches a certain
capability level as soon as all
activities of that level are
performed successfully.

Component: B. Organizational Structures
• RACI matrix
• Responsible (R) Who is getting the task done? Who drives the task?
• Accountable (A) Who accounts for the success and achievement of the task?
• Consulted (C) Who is providing input?
• Informed (I) Who is receiving information?

Component: C. Information Flows and Items
• Each practice includes inputs and outputs, with indications of origin and
destination.
• In general, each output is sent to one or a limited number of destinations,
typically another COBIT process practice.
• That output then becomes an input to its destination

Component: C. Information Flows and Items
• A number of outputs have many
destinations.
• A complete list of such outputs
is included in figure 3.8.

Component: D. People, Skills and
Competencies
• The people, skills and competencies governance component
identifies human resources and skills required to achieve the
governance or management objective.
• COBIT® 2019 based this guidance on the Skills Framework for the
Information Age (SFIA®) V6 (version 6).

Component: E. Policies and Procedures
• This component provides detailed guidance on policies and procedures that are relevant for the
governance or management objective.
• The name of relevant policies and procedures is included, with a description of the purpose and
content of the policy.

Component: F. Culture, Ethics and Behavior
• The governance component on culture, ethics and behavior provides detailed
guidance on desired cultural elements within the organization that support the
achievement of a governance or management objective.

Component: G. Services, Infrastructure and
Applications
• The services, infrastructure and applications governance component provides
detailed guidance on third-party services, types of infrastructure and categories
of applications that can be applied to support the achievement of a governance
or management objective.
• Guidance is generic (to avoid naming specific vendors or products).

COBIT 2019 Management Objectives

Structure of COBIT Domains

Governance and Management Objectives

APO03—Managed Enterprise
Architecture

What is Enterprise Architecture
• Enterprise architecture (EA) is
concerned with the structures and
behaviors of a business, especially
business roles and processes that
create and use business data.
• The term architecture refers to
fundamental concepts or properties
of a system in its environment,
embodied in its elements,
relationships, and in the principles of
its design and evolution.
Source: https://www.modeliosoft.com/en/technologies/enterprise-architecture.html

APO03 — Managed Enterprise Architecture
• Establish a common architecture consisting of
business process, information, data, application and
technology architecture layers.
• Create key models and practices that describe the
baseline and target architectures, in line with the
enterprise and I&T strategy.
• Define requirements for taxonomy, standards,
guidelines, procedures, templates and tools, and
provide a linkage for these components.
• Improve alignment, increase agility, improve quality
of information and generate potential cost savings
through initiatives such as re-use of building block
components.

APO03 – Key Management Practices
• APO03.01 Develop the enterprise architecture vision.
• a first-cut, high-level description of the baseline and target architectures,
covering the business, information, data, application and technology domains.
• APO03.02 Define reference architecture.
• describes the current and target architectures for the business, information, data,
application and technology domains.
• APO03.03 Select opportunities and solutions.
• rationalizing the gaps between baseline and target architectures,
accounting for both business and technical perspectives, and logically
group them into project work packages.
• APO03.04 Define architecture implementation.
• creating a viable implementation and migration plan in alignment
with the program and project portfolios.
• APO03.05 Provide enterprise architecture services.
• including guidance to and monitoring of implementation projects.
Source: https://www.opengroup.org/togaf

BAI08—Managed Knowledge

Knowledge management
• Knowledge management (KM) is the process of creating, sharing, using and
managing the knowledge and information of an organization.
• It refers to a multidisciplinary approach to achieve organizational objectives by
making the best use of knowledge.
Source: https://www.theifactory.com/news/gaining-wisdom-from-data/

BAI08—Managed Knowledge
• Maintain the availability of relevant,
current, validated and reliable
knowledge and management
information to support all process
activities and to facilitate decision
making related to the governance and
management of enterprise I&T.
• Plan for the identification, gathering,
organizing, maintaining, use and
retirement of knowledge.

BAI08 - Key Management Practices
• BAI08.01 Identify and classify sources of information for governance and
management of I&T.
• Identify, validate and classify diverse sources of internal and external information
required to enable governance and management of I&T, including strategy
documents, incident reports and configuration information that progresses from
development to operations before going live.
• BAI08.02 Organize and contextualize information into knowledge.
• based on classification criteria. Identify owners, and leverage and implement
enterprise defined information levels of access to management information and
knowledge resources.
• BAI08.03 Use and share knowledge.
• Propagate available knowledge resources to relevant stakeholders and
communicate how these resources can be used to address different needs (e.g.,
problem solving, learning, strategic planning and decision making).
• BAI08.04 Evaluate and update or retire information.
• Measure the use and evaluate the currency and relevance of information.
Update information or retire obsolete information.

DSS01—Managed Operations

Operations Management
• Operations management (OPM) is an area of management concerned with
designing and controlling the process of production and redesigning
business operations in the production of goods or services.
• Operations management is mainly concerned with managing the physical
and technical function of an organization, particularly those relating to
production and manufacturing.
• OPM is generally concerned with controlling an existing process without
necessarily changing it.
• Business process management (BPM) is a form of operations management
that analyzes, models, executes, and monitors improvements.

DSS01—Managed Operations
• Coordinate and execute the
activities and operational
procedures required to deliver
internal and outsourced I&T
services.
• Include the execution of
predefined standard operating
procedures and the required
monitoring activities.

DSS01 – Key Management Practices
• DSS01.01 Perform operational procedures.
• Maintain and perform operational procedures and operational tasks reliably and consistently.
• DSS01.02 Manage outsourced I&T services.
• Manage the operation of outsourced I&T services to maintain the protection of enterprise
information and reliability of service delivery.
• DSS01.03 Monitor I&T infrastructure.
• Store sufficient chronological information in operations logs to reconstruct and review time
sequences of operations and other activities surrounding or supporting operations.
• DSS01.04 Manage the environment.
• Install specialized equipment and devices to monitor and control the environment.
• DSS01.05 Manage facilities.
• Manage facilities, including power and communications equipment, in line with laws and
regulations, technical and business requirements, vendor specifications, and health and
safety guidelines.

MEA01—Managed Performance
and Conformance Monitoring

Performance and Conformance Management
• Performance management (PM) is the process
of ensuring that a set of activities and outputs
meets an organization's goals in an effective
and efficient manner.
• Performance management can focus on the
performance of an organization, a
department, an employee, or the processes in
place to manage particular tasks.
• Performance aims at improving profitability,
efficiency, effectiveness, growth, etc.
• Conformance aims at adhering to legislation,
internal policies, audit requirements, etc.
Source: http://www.maternatorre.it/?p=85742

MEA01—Managed Performance and
Conformance Monitoring
• Managed Performance and Conformance
Monitoring aims to collect, validate and evaluate
enterprise and alignment goals and metrics.
• It monitors that processes and practices are
performing against agreed performance and
conformance goals and metrics.
• It provides reporting that is systematic and
timely.
• The purpose is to provide transparency of
performance and conformance and drive
achievement of goals.

MEA01 – Key Management Practices
• MEA01.01 Establish a monitoring approach.
• establish and maintain a monitoring approach to define the objectives, scope and method for
measuring business solution and service delivery and contribution to enterprise objectives.
• MEA01.02 Set performance and conformance targets.
• periodically review, update and approve performance and conformance targets within the
performance measurement system.
• MEA01.03 Collect and process performance and conformance data.
• Collect and process timely and accurate data aligned with enterprise approaches.
• MEA01.04 Analyze and report performance.
• Periodically review and report performance against targets.
• MEA01.05 Ensure the implementation of corrective actions
• Assist stakeholders in identifying, initiating and tracking corrective actions to address
anomalies.

EDM04—Ensured Resource
Optimization

Resource Optimization
• Resource optimization is a set of
processes and methods to match the
available resources (human,
machinery, financial) with the needs
of the organization in order to achieve
established goals.
Source: https://doc-archives.microstrategy.com/

EDM04—Ensured Resource Optimization
• Ensure that adequate and sufficient
business and I&T-related resources
(people, process and technology) are
available to support enterprise objectives
effectively and, at optimal cost.
• The purpose is to ensure that the
resource needs of the enterprise are met
in the optimal manner, I&T costs are
optimized, and there is an increased
likelihood of benefit realization and
readiness for future change.

EDM04 - Key Governance Practices
• EDM04.01 Evaluate resource management.
• Continually examine and evaluate the current and future need for business and I&T resources
(financial and human), options for resourcing (including sourcing strategies), and allocation
and management principles to meet the needs of the enterprise in the optimal manner.
• EDM04.02 Direct resource management.
• Ensure the adoption of resource management principles to enable optimal use of business
and I&T resources throughout their full economic life cycle.
• EDM04.03 Monitor resource management.
• Monitor the key goals and metrics of the resource management processes. Determine how
deviations or problems will be identified, tracked and reported for remediation.

Independent work
• Review COBIT 2019 Governance and Management objectives.
• Get familiar with the objectives (i.e. process area), most familiar
to you.
• Independently of COBIT 2019, study and get an insight into the
selected process area:
• Identify the main concepts and try to understand them.
• Identify potential software, which supports the process area.
• Identify potential referencing standards and best practices, which
may be applied to the process area.
• Apply relevant COBIT 2019 Governance and Management
objectives to the process area.
Get familiar with
process area, relevant
concepts, software,
standards, best
practices, etc.
1.
2.
3. Apply COBIT

Summary
Assets in IT IT Management EGIT with COBIT 2019

Literature and sources
• K. Brand, IT Governance based on Cobit 4.1 - A Management Guide, 3rd izd. Van Haren Publishing, 2007.
• G. Hardy, „Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges“, Information Security
Technical Report, let. 11, št. 1, str. 55–61, 2006, doi: 10.1016/j.istr.2005.12.004.
• I. S. Audit in C. Association, COBIT 2019 Framework: Introduction and Methodology. ISACA, 2018.
• Steuperaert D. COBIT 2019: A significant update. EDPACS. 2019 Jan 2;59(1):14-8.
• De Haes S, Van Grembergen W, Joshi A, Huygh T. COBIT as a Framework for Enterprise Governance of IT. InEnterprise governance of information
technology 2020 (pp. 125-162). Springer, Cham.
• Svatá V. COBIT 2019: Should We Care?. In2019 9th International Conference on Advanced Computer Information Technologies (ACIT) 2019 Jun 5 (pp.
329-332). IEEE.
• Fernandes A, Almeida R, Mira da Silva M. A Flexible Method for COBIT 2019 Process Selection.
• Yasin M, Arman AA, Edward IJ, Shalannanda W. Designing Information Security Governance Recommendations and Roadmap Using COBIT 2019
Framework and ISO 27001: 2013 (Case Study Ditreskrimsus Polda XYZ). In2020 14th International Conference on Telecommunication Systems,
Services, and Applications (TSSA 2020 Nov 4 (pp. 1-5). IEEE.
• Gerl A, von der Heyde M, Groß R, Seck R, Watkowski L. Applying COBIT 2019 to IT Governance in Higher Education. INFORMATIK 2020. 2021.
• COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, Information Systems Audit and Control Association, Isaca,
Information Systems Audit and Control Association, 2018, ISBN 1604207612.
• Nachrowi, E., Nurhadryani, Y., & Sukoco, H. (2020). Evaluation of Governance and Management of Information Technology Services Using Cobit 2019
and ITIL 4. Jurnal RESTI (Rekayasa Sistem Dan Teknologi Informasi), 4(4), 764-774.

Thank you for your attetion!
gregor.polancic@um.si
www.polancic.com

An Introduction to IT Management with COBIT 2019

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a An Introduction to IT Management with COBIT 2019

Semelhante a An Introduction to IT Management with COBIT 2019 (20)

Mais de Gregor Polančič

Mais de Gregor Polančič (12)

Último

Último (20)

An Introduction to IT Management with COBIT 2019