IT Governance Capability Maturity within Government
Vernon JohnSITA
2
Enterprise Governance
Topics
PreambleBrief overview of COBIT
Overall COBIT Framework IT Governance Capability Maturity
Assessment FrameworkAssessment ApproachAssessment Results
Importance and PerformanceGeneral observations
Conclusion
References:Control Objectives for information and related Technology (COBIT)
Capability performance management
+Risk Management
=Optimal delivery of IT
services (business value)
IT Governance
3
Preamble
IT Governance Capability Maturity Assessment Framework
Development of templates (assessment and reports)
This presentation provides insight into:• IT Governance Capability Maturity Assessment Framework
and assessment approach• Measurement outcomes
13 government departments were measured
•Board briefing on IT Governance 2nd Edition, ITGI
•COBIT 4.1 ® Management Guidelines•COBIT Implementation Guide• IT Governance Implementation Guide, ITGI•Maturity Measurement –Fit the Purpose, Then The Method, Guldentops E, ISACA, 2003
•4 x National Departments•4 x Provincial Departments•5 x Municipalities
Objective: Gauge IT Governance capability maturity levels
4
Brief overview of COBIT
A set of accepted best practices for IT management and guidance materials for IT Governance
Developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
According to ISACA, “COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework
Control Objectives
(> 200)
Control Test Statements
(> 800)
Processes(34)
Domains(4)
5
Overall COBIT FrameworkBusiness objectives
Governance objectives
Deliver and
Support
Monitorand
Evaluate
Acquireand
Implement
Information
ITResources
Planand
Organise
PO1 Define a strategic IT plan.PO2 Define the information
architecture.PO3 Determine technological
direction.PO4 Define the IT processes,
organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management
aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.
AI1 Identify automated solutions.AI2 Acquire and maintain
application software.AI3 Acquire and maintain
technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions
and changes.
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and
incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical
environment.DS13 Manage operations.
Provide
Business Processes
To
For achieving
Applications
EfficiencyIntegrity Effectiveness
ComplianceReliability
Confidentiality
Availability
InfrastructureInformation
People
6
COBITEnvision Solution
Raise awareness
Determine Target Capability Maturity
Plan Solution
Assess Current Capability Maturity
PO1..POn
AI1…AIn
DS1…DSn
ME1…MEn
Awar
enes
s an
dC
omm
unic
atio
n
Polic
ies,
Pla
ns
and
Proc
edur
es
Goa
l set
ting
and
Mea
sure
men
t
Maturity ModelAnalyse Gaps
and Identify Improvement
Initiatives
Skill
s an
d Ex
pert
ise
Res
pons
ibili
ty
and
Acc
ount
abili
ty
Tool
s an
d A
utom
atio
n
Attributes
Accountable
Responsible
Audited
Control Weaknesses
Technology Used
Vulnerabilities(Technology)
IT Governance Capability Maturity Assessment Framework
Importance
Performance
7
COBITEnvision Solution
Raise awareness
Determine Target Capability Maturity
Plan Solution
Assess Current Capability Maturity
PO1..POn
AI1…AIn
DS1…DSn
ME1…MEn
Awar
enes
s an
dC
omm
unic
atio
n
Polic
ies,
Pla
ns
and
Proc
edur
es
Goa
l set
ting
and
Mea
sure
men
t
Maturity ModelAnalyse Gaps
and Identify Improvement
Initiatives
Skill
s an
d Ex
pert
ise
Res
pons
ibili
ty
and
Acc
ount
abili
ty
Tool
s an
d A
utom
atio
n
Attributes
Accountable
Responsible
Audited
Control Weaknesses
Technology Used
Vulnerabilities(Technology)
IT Governance Capability Maturity Assessment Framework
Importance
Performance
1 -Not at all2 - Can survive without it if need be3 - Make things easier4 - Very significant5 - Critical
8
COBITEnvision Solution
Raise awareness
Determine Target Capability Maturity
Plan Solution
Assess Current Capability Maturity
PO1..POn
AI1…AIn
DS1…DSn
ME1…MEn
Awar
enes
s an
dC
omm
unic
atio
n
Polic
ies,
Pla
ns
and
Proc
edur
es
Goa
l set
ting
and
Mea
sure
men
t
Maturity ModelAnalyse Gaps
and Identify Improvement
Initiatives
Skill
s an
d Ex
pert
ise
Res
pons
ibili
ty
and
Acc
ount
abili
ty
Tool
s an
d A
utom
atio
n
Attributes
Accountable
Responsible
Audited
Control Weaknesses
Technology Used
Vulnerabilities(Technology)
IT Governance Capability Maturity Assessment Framework
Importance
Performance
1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well
9
COBITEnvision Solution
Raise awareness
Determine Target Capability Maturity
Plan Solution
Assess Current Capability Maturity
PO1..POn
AI1…AIn
DS1…DSn
ME1…MEn
Awar
enes
s an
dC
omm
unic
atio
n
Polic
ies,
Pla
ns
and
Proc
edur
es
Goa
l set
ting
and
Mea
sure
men
t
Maturity ModelAnalyse Gaps
and Identify Improvement
Initiatives
Skill
s an
d Ex
pert
ise
Res
pons
ibili
ty
and
Acc
ount
abili
ty
Tool
s an
d A
utom
atio
n
Attributes
Accountable
Responsible
Audited
Control Weaknesses
Technology Used
Vulnerabilities(Technology)
IT Governance Capability Maturity Assessment Framework
Importance
Performance
COBIT 4.1 Maturity Attribute Table
Note: Assessment results excluded from this presentation
10
Assessment approach
SITA facilitated a two-day work-session with IT representatives During the work-session the following was done
Created an awareness of IT Governance and our assessment framework and approach Presented on the 34 COBIT processes and control objectives. Thereafter, the representatives we given an
opportunity to:• Provide information related to the IT process such as Accountability, Responsibility and whether or not the process has been
Audited• Rate test statements for control objectives ito Importance and Performance • Rate the process maturity attributes per IT process ito how well they perceived that they are currently performing and where they
would like to perform. The facilitator probed participants to ensure that they understand the process and control objectives and to support a more informed scoring
• The ratings were used to calculate the overall maturity levels A sample of evidence was requested by the SITA assessment team from the Department representatives to
support ratings provided The assessment outcomes were analysed and initiatives to improve IT governance were identified and
prioritised
Given the short duration of the exercise the assessment was not done in too low a level of detail, but it was sufficient to provide a sense of the IT Governance maturity level and identify areas for
improvementReport
11
Assessment resultsImportance and Performance Per Domain
Legend
Importance (Imp)1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical
Performance (Perf)1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well
PO AI DS ME
Imp 4.08 4.05 3.85 3.87
Perf 2.02 2.12 1.82 1.72
0.000.501.001.502.002.503.003.504.004.505.00
Leve
l
All
PO AI DS ME
Imp 4.18 4.34 4.09 3.98
Perf 2.42 2.63 2.12 2.10
0.000.501.001.502.002.503.003.504.004.505.00
Leve
l
National
PO AI DS ME
Imp 4.28 4.20 4.09 4.19
Perf 1.90 1.88 1.67 1.52
0.000.501.001.502.002.503.003.504.004.505.00
Leve
l
Provincial
PO AI DS ME
Imp 3.78 3.61 3.38 3.45
Perf 1.73 1.85 1.67 1.53
0.000.501.001.502.002.503.003.504.004.505.00
Leve
l
Local
12
All Nat Pro Loc All Nat Pro Loc All Nat Pro Loc All Nat Pro Loc
Imp 4.08 4.18 4.28 3.78 4.05 4.34 4.20 3.61 3.85 4.09 4.09 3.38 3.87 3.98 4.19 3.45
Per 2.02 2.42 1.90 1.73 2.12 2.63 1.88 1.85 1.82 2.12 1.67 1.67 1.72 2.10 1.52 1.53
0.000.501.001.502.002.503.003.504.004.505.00
Level
Assessment resultsImportance and Performance Per Domain
Legend
Importance (Imp)1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical
Performance (Perf)1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well
PO AI DS ME
13
Assessment results Average Importance and Performance Per Process Per Domain
Legend
Importance (Imp)1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical
Performance (Perf)1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well
Process Perf Imp % Diff Process Perf Imp % Diff
PO1 Define a Strategic IT Plan 2.17 4.14 91.04% DS1 Define and Manage Service Levels 1.77 3.72 109.82%PO2 Define the Information Architecture 1.50 3.93 161.86% DS2 Manage Third-party Services 2.00 3.98 99.48%PO3 Determine Technological Direction 1.93 3.97 105.59% DS3 Manage Performance and Capacity 1.73 3.96 129.38%PO4 Define the IT Processes, Organisation and Relationships
2.03 4.13 103.05% DS4 Ensure Continuous Service 1.51 4.44 195.18%
PO5 Manage the IT Investment 2.42 3.95 63.49% DS5 Ensure Systems Security 1.91 4.07 112.99%PO6 Communicate Management Aims and Direction 2.06 4.01 94.89% DS6 Identify and Allocate Costs 1.46 2.62 79.66%PO7 Manage IT Human Resources 2.28 4.16 82.32% DS7 Educate and Train Users 1.86 3.62 94.81%PO8 Manage Quality 1.72 4.18 143.01% DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%PO9 Assess and Manage IT Risks 1.99 4.27 114.93% DS9 Manage the Configuration 1.67 3.69 120.55%PO10 Manage Projects 2.06 4.08 98.39% DS10 Manage Problems 1.80 4.12 128.26%PO Average 2.02 4.08 102.56% DS11 Manage Data 1.79 4.05 127.02%AI1 Identify Automated Solutions 2.01 4.06 101.94% DS12 Manage the Physical Environment 2.26 3.97 75.40%AI2 Acquire and Maintain Application Software 2.08 3.92 88.04% DS13 Manage Operations 1.74 3.77 116.24%AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09% DS Average 1.82 3.85 111.71%AI4 Enable Operation and Use 2.11 3.89 84.62% ME1 Monitor and Evaluate IT Performance 1.79 3.80 112.78%AI5 Procure IT Resources 2.87 4.24 47.91% ME2 Monitor and Evaluate Internal Control 1.63 3.79 132.37%AI6 Manage Changes 1.88 4.15 121.47% ME3 Ensure Compliance With External
Requirements1.73 3.87 123.46%
AI7 Install and Accredit Solutions and Changes 1.85 3.99 116.00% ME4 Provide IT Governance 1.71 4.03 135.40%Average AI 2.12 4.05 91.18% ME Average 1.72 3.87 125.78%
14
Assessment resultsVery Significant Processes (17)
Legend
Importance1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical
Performance1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well
Process with highest Performance (17)
Process Perf Imp % Diff
DS4 Ensure Continuous Service 1.51 4.44 195.18%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%AI5 Procure IT Resources 2.87 4.24 47.91%PO8 Manage Quality 1.72 4.18 143.01%
PO7 Manage IT Human Resources 2.28 4.16 82.32%AI6 Manage Changes 1.88 4.15 121.47%PO1 Define a Strategic IT Plan 2.17 4.14 91.04%PO4 Define the IT Processes, Organisation and Relationships
2.03 4.13 103.05%
DS10 Manage Problems 1.80 4.12 128.26%
AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09%
PO10 Manage Projects 2.06 4.08 98.39%DS5 Ensure Systems Security 1.91 4.07 112.99%DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%AI1 Identify Automated Solutions 2.01 4.06 101.94%DS11 Manage Data 1.79 4.05 127.02%ME4 Provide IT Governance 1.71 4.03 135.40%PO6 Communicate Management Aims and Direction 2.06 4.01 94.89%
Process Perf Imp % Diff
AI5 Procure IT Resources 2.87 4.24 47.91%PO5 Manage the IT Investment 2.42 3.95 63.49%PO7 Manage IT Human Resources 2.28 4.16 82.32%DS12 Manage the Physical Environment 2.26 3.97 75.40%
PO1 Define a Strategic IT Plan 2.17 4.14 91.04%DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%AI4 Enable Operation and Use 2.11 3.89 84.62%AI2 Acquire and Maintain Application Software 2.08 3.92 88.04%
PO6 Communicate Management Aims and Direction 2.06 4.01 94.89%
PO10 Manage Projects 2.06 4.08 98.39%
AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09%PO4 Define the IT Processes, Organisation and Relationships 2.03 4.13 103.05%AI1 Identify Automated Solutions 2.01 4.06 101.94%DS2 Manage Third-party Services 2.00 3.98 99.48%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%PO3 Determine Technological Direction 1.93 3.97 105.59%DS5 Ensure Systems Security 1.91 4.07 112.99%
15
Assessment resultsVery Significant Processes (17)
Legend
Importance1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical
Performance1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well
Process with highest “Differences” (17)
Process Perf Imp % Diff
DS4 Ensure Continuous Service 1.51 4.44 195.18%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%AI5 Procure IT Resources 2.87 4.24 47.91%PO8 Manage Quality 1.72 4.18 143.01%
PO7 Manage IT Human Resources 2.28 4.16 82.32%AI6 Manage Changes 1.88 4.15 121.47%PO1 Define a Strategic IT Plan 2.17 4.14 91.04%PO4 Define the IT Processes, Organisation and Relationships
2.03 4.13 103.05%
DS10 Manage Problems 1.80 4.12 128.26%
AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09%
PO10 Manage Projects 2.06 4.08 98.39%DS5 Ensure Systems Security 1.91 4.07 112.99%DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%AI1 Identify Automated Solutions 2.01 4.06 101.94%DS11 Manage Data 1.79 4.05 127.02%ME4 Provide IT Governance 1.71 4.03 135.40%PO6 Communicate Management Aims and Direction 2.06 4.01 94.89%
Process Perf Imp % Diff
DS4 Ensure Continuous Service 1.51 4.44 195.18%PO2 Define the Information Architecture 1.50 3.93 161.86%PO8 Manage Quality 1.72 4.18 143.01%ME4 Provide IT Governance 1.71 4.03 135.40%
ME2 Monitor and Evaluate Internal Control 1.63 3.79 132.37%DS3 Manage Performance and Capacity 1.73 3.96 129.38%DS10 Manage Problems 1.80 4.12 128.26%DS11 Manage Data 1.79 4.05 127.02%
ME3 Ensure Compliance With External Requirements 1.73 3.87 123.46%
AI6 Manage Changes 1.88 4.15 121.47%
DS9 Manage the Configuration 1.67 3.69 120.55%DS13 Manage Operations 1.74 3.77 116.24%AI7 Install and Accredit Solutions and Changes 1.85 3.99 116.00%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%DS5 Ensure Systems Security 1.91 4.07 112.99%ME1 Monitor and Evaluate IT Performance 1.79 3.80 112.78%DS1 Define and Manage Service Levels 1.77 3.72 109.82%
16
Overall average
The overall average level was between a level 1 and a level 2. According to the COBIT Generic Maturity Model the level 1 and 2 description are as follows “1 Initial/Ad Hoc—There is evidence that the enterprise has recognised that the
issues exist and need to be addressed. There are, however, no standardised processes; instead, there are ad-hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganised.
2 Repeatable but Intuitive—Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. “
17
Observations
Participants gave their full cooperation and were well receptive to the final reports The was an awareness of IT Governance at a conceptual level but limited knowledge on the details as
stipulated in COBIT or on IT Governance implementation Participants understood the importance of IT Governance and acknowledged that they have a key role
to play in the implementation thereof. However, in many instances emphasis was placed more on “operational responsibilities” being a higher priority than on IT Governance type responsibilities.
Some participants were not able to effectively indicate who was accountable and responsible for the execution of IT processes
Very few had explicit IT Governance and IT Process frameworks Some formal IT policies, processes, procedures or plans have been instituted, however this was not
done in the context of an overall IT Governance framework and furthermore there was limited periodic reviews done
Some IT processes underwent auditing albeit that some are done on ad hoc basis There are limited tools used in support of executing the IT processes. Desktop productivity tools are
primarily used and has limited functionality to support effective and efficient execution of the IT processes
Unavailability of funds
18
Conclusion
COBIT is a very comprehensive IT Governance framework and there is a need to simplify the implementation of COBIT IT Governance within Government departments, which could be done by: Establishing a “minimum” IT Governance framework Compiling an implementation method for the “minimum” IT Governance
framework Compiling and making available e.g. generic policies and process that are
aligned to the “minimum” framework and that could be easily adapted Initiating IT Governance practitioner training Conducting periodic assessments
Thank You
Top Related