TRENDS. January 5, 2006 COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance. by Craig Symons

Transcription

1 January 5, 2006 COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance by Craig Symons TRENDS Helping Business Thrive On Technology Change

2 TRENDS January 5, 2006 COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance by Craig Symons with Laurie M. Orlov, Katherine Brown, and Samuel Bright EXECUTIVE SUMMARY Growing IT visibility has triggered a significant interest in IT governance and improved management of IT. CIOs are expected to align IT and business strategies, demonstrate value, and provide best-in-class service at the lowest price. CIOs that fail to deliver are quickly replaced or the IT function is outsourced. During the past few years a number of frameworks have proliferated to help IT organizations improve overall governance, accountability, and service delivery. Many of these frameworks are not mutually exclusive, and a good understanding of their focus, strengths, and weaknesses is essential for all IT managers. TABLE OF CONTENTS 2 Frameworks Are Great, But Which Ones Fit My Business? Use COBIT For IT Governance And Control Use ITIL For Service Delivery And Support Use ISO For Security 8 No Solution Is Complete On Its Own 8 RECOMMENDATIONS Establish Frameworks To Ease Governance Implementation WHAT IT MEANS 9 Frameworks Help Run IT Like A Business NOTES & RESOURCES Forrester interviewed vendors and user companies for this research. Related Research Documents COBIT Maturity Assessment: Are You Ready? October 3, 2005, Trends The ment Process Alphabet Soup September 1, 2005, Best Practices Revised ISO Boosts Information Security ment Relevance July 1, 2005, Quick Take 2006, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, Forrester s Ultimate Consumer Panel, WholeView 2, Technographics, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints of this document, please resourcecenter@forrester.com.

3 2 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance FRAMEWORKS ARE GREAT, BUT WHICH ONES FIT MY BUSINESS? Boards of directors oversight of IT is becoming increasingly common as a result of several factors: the increase in investment in IT (budgets comprise 1.5% to 12% of revenues and more than 50% of a firm s capital budget); the increasingly critical role that IT plays in core business processes, as system downtime means revenue downtime; and the growing impact of regulation and compliance like Sarbanes-Oxley, HIPAA, and Basel II. These factors have created an environment in which: Frameworks are proliferating to help with governance. During the past five years, a number of frameworks, methodologies, and practices have been developed for or adopted by IT to better govern and manage performance. These include control objectives for information and related technologies (COBIT), IT Infrastructure Library (ITIL), International Organization for Standardization (ISO) 17799, CMM, PRINCE, MSP, PMBOK, the Balanced Scorecard, and Six Sigma. It is very easy to get confused by the alphabet soup of alternatives, which can lead to paralysis (when CIOs can t make a decision), or choosing one and then finding out later that it misses the mark. CIOs must educate themselves on frameworks use. Most of these frameworks are not mutually exclusive and are most effective when used in combination with one another. The road to a comprehensive IT governance framework involves understanding the differences among the frameworks and when to apply each framework. 1 To help explain the major frameworks and how they relate to one another, we have mapped the major elements of COBIT, ITIL, and ISO to one another and provide more detailed guidance around their use. Use COBIT For IT Governance And Control Boards of directors, executive management, and IT management all have a vested interest in IT governance their common goal is to maximize the business value derived from IT investments while managing risk. 2 However, implementing IT governance is easier said than done; it often involves a significant change-management exercise while the old culture is replaced with the new. While many effective IT governance frameworks have been developed by organizations from the ground up, adapting an existing framework can make things much easier and deliver tangible results sooner. What is COBIT? The starting point for an IT governance framework should be COBIT, because it is the most comprehensive IT governance framework available today. Originally developed by the Information Systems Audit and Control Association (ISACA) in 1996 and turned over in 1998 to the newly created IT Governance Institute, COBIT is now in its third edition, and an enhanced fourth edition will be published in late Who is the target for COBIT? COBIT is designed for three constituencies: management, users, and auditors. It helps management balance risk and control in their IT investments, while January 5, , Forrester Research, Inc. Reproduction Prohibited

4 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance 3 providing assurance for users that security and controls over IT services exist. For auditors, COBIT substantiates their opinions and assists them in providing advice to management on internal controls. What are the components of COBIT? The COBIT framework consists of a hierarchy of domains, IT processes and corresponding high-level control objectives, and detailed control objectives. There are currently four domains, which include 34 high-level control objectives supported by 318 detailed control objectives (see Figure 1). How does it relate to CMM? The COBIT framework has been further enhanced with a maturity model based on the concept originally developed by the Software Engineering Institute (SEI) and known as the Capability Maturity Model or CMM. Using the maturity model, organizations can map where they stand with respect to the best-in-class offering for each of the 34 defined IT processes. 4 What are COBIT s key strengths? COBIT s strengths lie in its focus on IT management and control and in its breadth with every important IT process included in its coverage. It helps management understand what it is they need to do to ensure that investments in IT are maximized around business value, do not represent unacceptable risks, comply with all required regulatory requirements, and can be audited. COBIT does not, however, tell management how to do these things, which is why COBIT is not a complete management framework for IT and should be augmented with other frameworks. Use ITIL For Service Delivery And Support ITIL is a series of eight books that provide consistent and comprehensive best practices for IT service management and delivery. ITIL provides the foundation for quality IT service management. ITIL was initially developed and published by the British Office of Government Commerce (OGC) to promote efficient and effective use of IT resources within the British government. In 2000, it was revised in conjunction with the British Standards Institute (BSI) and incorporated within BS The eight ITIL books include: Planning To Implement Service ment. This book deals explicitly with the question of where to start with ITIL. It outlines the steps necessary to identify how the organization would benefit from ITIL. It helps identify current strengths and weaknesses and gives practical guidance on evaluating current maturity levels of service management within the organization. The Business Perspective. This book is designed to familiarize business management with the architecture and components of information and communications technology (ICT) infrastructure required to support the business processes. The book helps business leaders better understand the benefits of best practices in IT service management. 2006, Forrester Research, Inc. Reproduction Prohibited January 5, 2006

5 4 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance Figure 1 COBIT Framework s Domains And Objectives COBIT Planning and organizing Acquisition and implementation Delivery and support Monitoring Define an IT strategic plan Identify solutions Define and manage service levels Monitor the processes Define the information architecture Acquire and maintain applications thirdparty services Assess internal control adequacy Define technology direction Acquire and maintain infrastructure performance and capacity Obtain independent assurance Define the IT organization Develop and maintain procedures Ensure continuous service Provide for independent audit the IT investment Install and accredit systems Ensure systems security Communicate aims and direction changes Identify and allocate costs human resources Educate and train users Ensure compliance Assist and advise customers Assess risks the configuration projects problems and incidents quality data facilities operations Source: Forrester Research, Inc. January 5, , Forrester Research, Inc. Reproduction Prohibited

6 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance 5 Software Asset ment. This book encompasses the necessary infrastructure and processes for effective management, control, and protection of the software assets within an organization throughout all stages of their life cycle. Service Support. This book focuses on ensuring that the customer has access to appropriate services to support business functions. It covers configuration management and other support management issues including incident, problem, change, and release management. Service Delivery. This book covers the service the business requires of IT to enable adequate support to the business users. This includes processes for service-level management, availability management, capacity management, financial management for IT services, and continuity management. Security ment. This book looks at security from the service provider perspective, identifying the relationship between security management and the IT security officer, as well as outlining how ITIL provides the level of security necessary for the entire organization. It further focuses on the process of implementing security requirements identified in the IT service-level agreement (SLA). ICT Infrastructure ment. This book covers all aspects of infrastructure management from identification of business requirements to acquiring, testing, installing, and deploying infrastructure components. It includes the design and planning processes, deployment processes, operations processes, and technical support processes. Application ment. This book addresses the complex subject of managing applications from initial business requirements through the application management life cycle, up to and including retirement. A strong emphasis is placed on ensuring that IT projects and strategies are tightly aligned with those of the business throughout the applications life cycle. Once an application is approved and funded, it is tracked throughout its life cycle by the software asset management function of ITIL. While ITIL addresses all of the above areas with its books, its strength lies in service delivery and management, where it is more mature and has been implemented by many organizations. ITIL can be mapped to parts of COBIT; in fact, of the 34 high-level COBIT processes, 22 can be mapped to ITIL best practices with a preponderance in the delivery and support domain (see Figure 2). 2006, Forrester Research, Inc. Reproduction Prohibited January 5, 2006

7 6 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance Figure 2 COBIT Processes Covered By ITIL Planning and organization Acquisition and implementation Delivery support COBIT processes addressed Not addressed by ITIL Addressed by ITIL Monitoring Source: Forrester Research, Inc. Use ISO For Security Unlike COBIT and ITIL, ISO is an international standard first published in 2000 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under a joint technical committee. 6 The standard provides information for implementing information security within an organization. ISO contains best practices for policies of information security, assignment of responsibility for information security, problem escalation, and business continuity management. This information is organized into 10 sections that contain 36 objectives and 127 controls. These 10 sections and their key elements include: Security policy. An information security policy is defined and receives the commitment and support of senior management. The policy is documented and communicated throughout the organization and is part of the orientation for every new employee. Organizational security. The organizational construct around security is defined. This includes the assignment of responsibility for information security to individuals, establishment of a forum for coordination, a definition of responsibility areas for managers, a definition of an authorization process for IT facilities, a definition of how third-party relationships will be handled, and a provision for third-party security reviews. This would also include comprehensive measures for management of third-party services, including definition of risks and security requirements. January 5, , Forrester Research, Inc. Reproduction Prohibited

8 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance 7 Asset classification and control. Responsibility for asset management must be defined and all assets must be inventoried. Information must be classified following a generally accepted system to ensure that there is an appropriate level of protection available. Personnel security. Each employee s responsibility for security is defined, along with confidentiality agreements and contractual responsibilities. Also, adequate controls for personnel screening are placed, information security education and training is developed, and a reporting process for security incidents, vulnerabilities, and software malfunctions is defined. Physical and environmental security. Equipment is installed in secure areas where adequate access controls are in place and damage prevention efforts are implemented. Equipment is protected against loss, damage, or compromise. Disposal or reuse of information on obsolete or off-premise equipment is defined. Communications and operations management. Operations must follow documented procedures with changes being documented. Procedures for incident management and release management processes for acceptance of new systems are defined. Duties should be segregated to ensure that no individual can both initiate and authorize an event, and development and operational facilities must also be separated. Information must be backed up and the backup process should be tested regularly. Access control. Access to information should be granted in accordance with business and security requirements. User access management should follow a formal process and user responsibilities must be clearly defined, while system access and use is monitored constantly. Systems development and maintenance. Security issues are considered when implementing systems following defined requirements. Security in application systems covers validation of input data, controls over internal processing, message authentication, and validation of output data. Access to system files is controlled. Business continuity management. A comprehensive business continuity management process is defined to prevent interruptions to business processes. This process is not restricted to ITrelated areas but encompasses the end-to-end business processes. Plans are developed as part of an impact analysis, and they are tested, maintained, and reassessed continuously. Compliance. Compliance with security policies is ensured through periodic security audits. ISO addresses all of the above areas to provide a comprehensive approach to security. ISO can be mapped to parts of COBIT; in fact, of the 34 high-level COBIT processes, 25 can be mapped to ISO (see Figure 3). 2006, Forrester Research, Inc. Reproduction Prohibited January 5, 2006

9 8 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance Figure 3 COBIT Processes Covered By ISO COBIT processes addressed Planning and organization Acquisition and implementation Delivery support Not addressed by ISO Addressed by ISO Monitoring Source: Forrester Research, Inc. NO SOLUTION IS COMPLETE ON ITS OWN Unfortunately, there is no silver bullet, no complete framework that IT managers can use to implement a comprehensive framework for IT governance and management. However, several relatively mature frameworks can be used to assemble a more complete and comprehensive governance framework. Only COBIT addresses the full spectrum of IT governance processes, but it does so from a high-level management and business perspective with an emphasis on audit and control. Other frameworks address a subset of processes in more detail, including ITIL for IT service management and delivery, and ISO for IT security. These can be further augmented by use of additional frameworks and methodologies, including Six Sigma for process improvement and the Balanced Scorecard for IT performance management. 7 R E C O M M E N D A T I O N S ESTABLISH FRAMEWORKS TO EASE GOVERNANCE IMPLEMENTATION There are a number of mature frameworks that can be combined to enable organizations to implement quality IT governance and management more quickly. First COBIT for overall governance. Organizations looking to implement effective and comprehensive IT governance should adopt COBIT as the overarching governance framework. COBIT is readily accessible to both business and IT professionals and contains a wealth of supporting documentation and tools that ease and accelerate its adoption. January 5, , Forrester Research, Inc. Reproduction Prohibited

10 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance 9 Then ITIL for IT service delivery and management. Once COBIT has been implemented, IT organizations are urged to adopt ITIL as a best practices framework for IT service delivery and management. Mapping COBIT s IT processes to the corresponding ITIL best practices creates a robust and powerful framework for implementing IT governance and improving IT operational performance. Then ISO for information security. Information security is best managed through the adoption of the ISO standard, which also can be mapped via COBIT IT processes. Balanced Scorecard for measurement and communication. Strongly consider implementing an IT balanced scorecard to measure and communicate IT performance against its strategic goals. The Balanced Scorecard is promoted by the IT Governance Institute as the de factor performance measurement methodology. W H A T I T M E A N S FRAMEWORKS HELP RUN IT LIKE A BUSINESS Ultimately, boards of directors and executive management want more transparency in IT. Transparency is attained with IT governance and IT performance management, which form the foundation of running IT like a business. CIOs who build IT organizations that focus on the customer, deliver high quality and cost-effective IT services, and engage business units to partner in developing and implementing innovative business change will find their future secure. 8 Those who continue to run IT like a black box will not be so lucky. ENDNOTES 1 Pressures to decrease cost, increase reliability, and comply with local regulations conspire to make it harder than ever for IT to deliver business services efficiently. This quest for process improvement is the root cause of a universal interest in best practices and in frameworks such as ITIL, ISO, and COBIT. See the September 1, 2005, Best Practices The ment Process Alphabet Soup. 2 An effective IT governance framework consists of governance structures, processes, and measurement and communication. See the March 29, 2005, Best Practices IT Governance Framework. 3 The IT Governance Institute (ITGI) was created by ISACA to specifically oversee COBIT and other IT governance-related activities. Since its first edition was published in 1996, COBIT has evolved and is about to be published in its fourth edition. Much of COBIT is freely available via ITGI s Web site ( 4 The ITGI has developed a generic maturity model for COBIT, as well as more detailed management guidelines. See the October 3, 2005, Trends COBIT Maturity Assessment: Are You Ready? 2006, Forrester Research, Inc. Reproduction Prohibited January 5, 2006

11 10 Trends COBIT Versus Other Frameworks: A Road Map To Comprehensive IT Governance 5 BS15000 is the first worldwide standard specifically aimed at IT service management. It describes an integrated set of management processes for effective delivery of services to the business and its customers. BS15000 consists of two parts: a formal specification that defines the requirements for an organization to deliver managed services of an acceptable quality for its customers, and a Code of Practice. Source: ISO/IEC has released the second version of (ISO/IEC 17799:2005) the most widely adopted information security management framework. The original standard ISO/IEC 17799:2000 has gained momentum during the past five years. Organizations around the world have used it as the centerpiece for their security programs. However, the original standard had some weak areas, which have been addressed in the second version. ISO/IEC 17799:2005 provides a strong and expanded framework for information security management. However, it is just a framework it gives organizations guidance about scope and breadth, but it does not provide the depth of a strong information security program. Further information is available at or at the International Organization for Standards Web site at See the July 1, 2005, Quick Take Revised ISO Boosts Information Security ment Relevance. 7 ITIL describes best practices for IT service delivery and support processes. IT organizations that are struggling with the overall quality of their IT processes should consider implementing a process improvement methodology. See the June 3, 2005, Best Practices Six Sigma and Process Optimization Improves IT Service Delivery. Measuring and communicating the performance of the IT organization is best done using a methodology such as Norton and Kaplan s Balanced Scorecard, adopted for IT. See the August 20, 2004, Quick Take IT Governance And The Balanced Scorecard. 8 CIOs can assess their organization s degree of maturity in running IT like a business by assessing the maturity of IT s linkage of technology to the firm s strategy, whether IT is mature at running its business operations, and how evolved IT is at managing relationships with business stakeholders. See the June 6, 2005, Best Practices The Economics Of IT. January 5, , Forrester Research, Inc. Reproduction Prohibited

12

13

14 H e l p i n g B u s i n e s s T h r i v e O n T e c h n o l o g y C h a n g e Headquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA USA Tel: / Fax: / forrester@forrester.com Nasdaq symbol: FORR Research and Sales Offices Australia Israel Brazil Japan Canada Korea Denmark The Netherlands France Switzerland Germany United Kingdom Hong Kong United States India For a complete list of worldwide locations, visit For information on hard-copy or electronic reprints, please contact the Client Resource Center at / , / , or resourcecenter@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions. Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forwardthinking advice about technology s impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets through its research, consulting, events, and peer-topeer executive programs. For more information, visit