Modeling Architecture for COBIT

Transcription

1 Volume 3, July 2011 Modeling Architecture for COBIT By Reinhold Thurner, Ph.D. Models and frameworks are used as a means to describe the structure and properties of processes and to provide guidelines on how these processes should be organized, monitored and assessed. These models (descriptions) are voluminous and complex artifacts. So, the question is: How can one describe these artifacts so that the information contained in the models can be properly managed? This article answers this question and demonstrates how to do so in practice. For that purpose, a model of COBIT was designed and stored along with the full content of the COBIT 4.1 framework, IT Assurance Guide: Using COBIT and the COBIT 4.1 Process Assessment Model Exposure Draft in a metasafe repository. The results are meaningful, not only for the existing version of COBIT, but also for the upcoming COBIT 5. Information Models About Models There are many publications about COBIT and how to use it. These publications exist in several languages and in various formats such as hard copies, e-books (PDF files), CDs, Excel files and online digital versions. The publications contain detailed descriptions in a top-down structure and also some cross-references between the components of the COBIT framework. The basis for all these documents and the essence of the system is the information model of COBIT. From a purely structural point of view, such a model consists of entities that are described by their properties and connected by relationships. The publications are merely specific views derived from this information base. Such an information base is a tool to: Write, review the components of the model and its structure, and maintain versions Create different views (e.g., for different stakeholders) and to produce the products for publication Translate the text into other languages while preserving the original structure Compare a model with other models (e.g., COBIT to Software Process Improvement and Capability Determination [SPICE], ITIL, or Capability Maturity Model Integration [CMMI]) Clone and adapt a model to a specific environment and purpose without losing the structure of and reference to the original Teach a model. The audience must understand the structure and purpose, but does not necessarily need to learn about all the details. Use or extend a model for an assessment. The results of an assessment are collected and stored in the information base and combined to create a report or even a plan/control a process for improvement. Figure 1 Simplified Information Model Architecture A (simplified) architecture for an information model (figure 1) consists of: The metamodel Describes the structure of the model ( the information base ) The model Contains all the instances in a fine-grained information base Views Provide individual views of selected entities, attributes and Come join the discussion! Reinhold Thurner will respond to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 15 July 2011.

2 relationships. Views are not an additional level within this structure, but a selection of an arbitrary set of elements of the structure. Views may show only a subset and may overlap. Creation of a Metamodel for COBIT A metamodel is not a theoretical construct but has a very clear purpose: It must explain the terms (such as management guideline, work product, process and resource), the properties of these terms (such as description, title, measured by, issues and level) and the relationships (such as uses, has, has output, is input and is responsible). Therefore, one can start with the extraction of the terminology from the available documents. Then, one can connect these elements to reflect the logical structure of the terms. The result for COBIT (after several refinements) was the metamodel draft in figure 2. The draft model was then stored in the metasafe repository, and the picture of the model was generated by the repository. The model reflects the structure of the COBIT 4.1 framework, IT Assurance Guide: Using COBIT and COBIT 4.1 Process Assessment Model Exposure Draft, with an extension as explained in the figure. The extension of some attributes in the assurance model is included to show how a model can be adapted to specific requirements (e.g., the support of an Figure 2 Metamodel Draft Volume 3, July 2011 Page 2

3 assessment process) and still keep the original model. Figure 3 Entity Relationship Representation in Excel The model shows all the important terms, their properties and their relationships. It can be used to teach, design and structure the information base that will contain the model. This is not the metamodel, but it is what the authors wanted to express or show about the model. It is also only a draft or proof of concept of the architecture; however, it is a good basis from which to start and can be extended or changed easily for use in other intended purposes. Beyond the descriptive function, the model is also intended to structure the information base where the instances of the model with the complete textual information are stored, maintained and documented. Preparation of the Information Base COBIT is available in hard copy and as a PDF download and can be browsed using COBIT Online. COBIT Online provides the facility to download the content of COBIT as Word files or in an Access database. IT Assurance Guide: Using COBIT was also published as an Excel spreadsheet. The COBIT 4.1 Process Assessment Model Exposure Draft is published as a PDF file and consists of plaintext. It had to be taken apart and structured appropriately to be loaded into the information base. For the purposes of this analysis, the available documentation was taken apart and converted into strictly structured Excel maps to provide the input for the information base. A strictly structured Excel map contains sets of entity tables and relationship tables. Entity tables contain all occurrences of a given entity type, with its attributes similar to a table of a relational database. Relationship tables describe the connection between entities and reflect the structure of the system. This entity-relationship view (figure 3) corresponds directly with the conceptual model of the system. Figure 3 shows the tables that describe the input-output flow of work products, as defined in the COBIT 4.1 Process Assessment Model Exposure Draft. The final result of the preparation was three Excel maps with a total of 87 sheets, 5,400 entity rows and 8,200 relationship rows. The Excel maps were then loaded into the information base of the metasafe repository with the Excel import facility. Viewing the Content of the Information Base The content of the information base can be viewed with a generic viewer, which is controlled by the metamodel. Because the viewer/editor is completely controlled by the metamodel, no additional programming is required to: Browse across the model in an arbitrary direction, e.g., forward and backward, and starting anywhere, e.g., one could start with an organizational function (such as chief information officer [CIO]), see all the responsibilities, select one and find the affected process, select one and see the description, or move on to the corresponding management guideline Select a graphical view and browse using the graphics (graphics are dynamically created from the model) Volume 3, July 2011 Page 3

4 Figure 4 Browse and Document the Results of an Assessment Update the descriptions (updating is protected by user-update rights) Export parts of the information Create and export arbitrary cross-references Figure 4 shows the browse tree with forward and backward branches in the left pane. The right pane contains, on top, the descriptive elements of a process and, below the context, a graph of the input/output of the selected process. With a click on one of the outcomes, the graph moves automatically to the selected element. Once a user of the viewer logs in to the system with a specific view, the user will see only the elements and structures defined in this view. It is important to note that such a model-based viewer can also cope with any extension of the model. This is especially important when a model is in development or when extensions and enhancements are introduced. Such a generic viewer is not a replacement for a dedicated system such as COBIT Online; however, one could create this kind of application on top of the repository using the metasafe application programming interface (Java-API). Extension to Support an Assessment To explain the extensibility of the repository technology, some attributes have been added in the assessment guide model (figure 5). (The additional attributes have been marked to avoid misunderstandings.) This view was defined as the assessment view in the model and provides fields to enter the assessment for specific items. Other extensions could include: Grouping assessments and assignments of assesments to selected assessors Accepting attached documents Creating clones for several branches The consolidated results of all assessments can then be extracted and reported using the business intelligence and reporting tool (BIRT). Conclusion A metamodel and an information base (repository) can ease the development, publication, adaption and practical use of process models. The publications in connection with COBIT 4.1 have been used to demonstrate the concept and its Volume 3, July 2011 Page 4

5 Figure 5 Browse and Document the Results of an Assessment implementation. The concept and tools can be applied to any process model. Based on this architecture, generic model-based tools can been used to create the metamodel; to load the model; and to browse, update or export the model. Author s Note The tools used in this article belong to the metasafe repository that is based on the Eclipse Software Framework and on the metasafe Java-API. This infrastructure can be used to create additional tools as required for specific purposes. The metasafe repository is available as a software product; however, the content of the information base is not available for distribution because it is copyrighted material of ISACA and was only used for the proof of concept. Reinhold Thurner, Ph.D. is founder and chief executive officer (CEO) of Metasafe GmbH in Switzerland (metasafe-repository.com) a software company specialized in modeling techniques and the developer of the general purpose repository metasafe. He has more than 30 years of experience in IT, especially in the area of software engineering, model-based development, software generators, compilers and metadata bases. Volume 3, July 2011 Page 5

6 COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors content ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at Framework Committee Patrick Stachtchenko, CISA, CGEIT, CA, France, chair Steven A. Babb, CGEIT, CRISC, UK Sushil Chatterji, CGEIT, Singapore Sergio Fleginsky, CISA, Uruguay John W. Lainhart IV, CISA, CISM, CGEIT, CRISC, USA Anthony P. Noble, CISA, USA Derek J. Oliver, Ph.D., DBA, CISA, CISM, CITP, FBCS, FISM, UK Rolf M. von Roessing, CISA, CISM, CGEIT, Germany Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at 2011 ISACA. All rights reserved. Volume 3, July 2011 Page 6