WIXLIB

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of ITCOBIT 5Prof. Dr. Wim Van GrembergenUniversity of Antwerp (UA)Antwerp Management School (AMS)IT Alignment and Governance Research Institute (ITAG)wim.vangrembergen@ua.ac.be1

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5Reseña curricular del autor: Wim Van Grembergen is professor at the Economics and ManagementFaculty of the University of Antwerp (UA) Executive professor at the Antwerp Management School (AMS) Teaches information systems at master and executive level Researches in IT governance within his IT Alignment and Governance(ITAG) Research Institute Most recent book “Enterprise governance of IT. Achieving strategicalignment and value” (Springer, New York) Has been involved in the development of COBIT 4, VAL IT and COBIT 5 Frequent speaker speaker at academic, professional meetings andconferences Has served in a consulting capacity to a number of organisations2

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5Índice1. Enterprise Governance of IT2. Enterprise Governance of IT practices3. Enterprise Governance of IT as enabler for business / IT alignment4. Enterprise Governance of IT as enabler for business value5. COBIT 53

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5Setting the scene"Firms with superior ITgovernance have at least 20%higher profits.than firms with poorgovernance given the samestrategic objectives."( Louis Boyle, VP Gartner EXP, 2006)4

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5IT governance definitionsIT governance is the organizational capacity exercised by the board, executive managementand IT management to control the formulation and implementation of IT strategy and in thisway ensuring the fusion of business and IT.(Van Grembergen, 2002)IT governance is the responsibility of the board of directors and executive management. It is anintegral part of enterprise governance and consists of the leadership and organizationalstructures and processes that ensure that the organization’s IT sustains and extends theorganization’s strategies and objectives.(IT Governance Institute, 2001)5

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5Moving to Enterprise Governance of ITEnterprise governance of IT (EGIT) is an integral part of enterprisegovernance exercised by the Board overseeing the definition andimplementation of processes, structures and relational mechanisms in theorganisation enabling both business and IT people to execute theirresponsibilities in support of business/IT alignment and the creation ofbusiness value from IT-enabled business investments.(Van Grembergen & De Haes, 2009)6

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5Structures, processes and relational mechanismsStructuresProcessesRoles and responsibilities, IT organisationstructure, CIO on Board, IT strategycommittee, IT steering committee(s)Strategic Information Systems Planning,(IT) BSC, Information Economics, SLA,COBIT, Val IT, ITIL, IT alignment /governance maturity modelsEnterprise governance of ITRelational mechanismsActive participation and collaboration betweenprinciple stakeholders, Partnership rewards andincentives, Business/IT co-location, Cross-functionalbusiness/IT training and rotation7

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5The knowing-doing gap While organisations do recognise EGIT’s importance, they are still strugglingwith getting such governance practices implemented and embedded into theirorganisations (‘knowing-doing gap’) Need for an organizational system, i.e. “the way a firm gets its people to worktogether to carry out the business”. (De Wit and Meyer, 2005).8

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 59Key assets governanceBoardExecutive committeeKey ncial governancepracticesIPassetsInform. &IT assetsRelationship assetsIT governancepractices

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5 10ISO/IEC 38500 (2008): Corporate governance of informationtechnologyScope This standard provides guiding principles for directors oforganizations (including owners, board members, directors,partners, senior executives, or similar) on the effective, efficient,and acceptable use of Information Technology (IT) within theirorganizations. This standard applies to the governance of management processes(and decisions) relating to the information and communicationservices used by an organization. These processes could becontrolled by IT specialists within the organization or externalservice providers, or by business units within the organization

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5 11ISO/IEC 38500 (2008): Principles for Enterprise Governance of ITPrinciple 1: ResponsibilityIndividuals and groups within the organization understand and accept their responsibilities in respect ofboth supply of, and demand for IT. Those with responsibility for actions also have the authority toperform those actions.Principle 2: StrategyThe organization’s business strategy takes into account the current and future capabilities of IT; thestrategic plans for IT satisfy the current and ongoing needs of the organization’s business strategy.Principle 3: AcquisitionIT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clearand transparent decision making. There is appropriate balance between benefits, opportunities, costs,and risks, in both the short term and the long term.Principle 4: PerformanceIT is fit for purpose in supporting the organization, providing the services, levels of service and servicequality required to meet current and future business requirements.Principle 5: ConformanceIT complies with all mandatory legislation and regulations. Policies and practices are clearly defined,implemented and enforced.Principle 6: Human BehaviourIT policies, practices and decisions demonstrate respect for Human Behaviour, including the current andevolving needs of all the ‘people in the process’.

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5 12ISO/IEC 38500 (2008): Corporate governance of informationtechnologyModelDirectors should govern IT through three main tasks:a) Evaluate the current and future use of IT.b) Direct preparation and implementation of plans and policies toensure that use of IT meets business objectives.c) Monitor conformance to policies, and performance against theplans.

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5 13COBIT and VAL IT as frameworks for Enterprise Governance of ITEnterprise Governance of ITCOBITFocus on IT processesVal essesprocesses- on IT-

PO1. define a strategic IT planImplantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: EnterpriseGovernanceof IT COBIT 5 14PO2. define theinformation architectureCOBIT frameworkINFORMATIONME1. monitor and evaluate IT performanceME2. monitor and evaluate internal controlME3. ensure regulatory complianceME4. provide IT governanceMONITOR ANDEVALUATECriteria ilabilitycompliancereliabilityIT RESOURCES DS1. define and manage service levelsDS2. manage third party servicesDS3. manage performance and capacityDS4. ensure continuous serviceDS5. ensure systems securityDS6. identify and allocate costsDS7. educate and train usersDS8. manage service desk and incidentsDS9. manage the configurationDS10. manage problemsDS11. manage dataDS12. manage the physical environmentDS13.manage operationsPO3. determine technological directionPO4. define the IT processes, organization and relationshipsPO5. manage the IT investmentPO6.communicate management aims and directionPO7. manage IT human resourcesPO8. manage qualityPO9. assess and manage riskPO10. manage projectsDELIVERY ANDSUPPORTPLANNING ANDORGANISATIONdataapplication systemsInfrastructurepeopleACQUISITION ANDIMPLEMENTATIONAI1. identify automated solutionsAI2. acquire and maintain application softwareAI3. acquire and maintain technology infrastructureAI4. enable operation and useAI5. procure IT resourcesAI6. manage changesAI7. install and accredit solutions and changes

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5 15Example: Detailed Control Objectives for Manage Changes (AI6)AI6.1 Change Standards and ProceduresSet up formal change management procedures to handle in a standardised manner all requests(including maintenance and patches) for changes to applications, procedures, processes, systemand service parameters, and the underlying platforms.AI6.2 Impact Assessment, Prioritisation and AuthorisationEnsure that all requests for change are assessed in a structured way for impacts on theoperational system and its functionality. This assessment should include categorisation andprioritisation of changes. Prior to migration to production, changes are authorized by theappropriate stakeholder.AI6.3 Emergency ChangesEstablish a process for defining, raising, assessing and authorising emergency changes that do notfollow the established change process. Documentation and testing should be performed, possiblyafter implementation of the emergency change.AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system for keeping change requestors and relevant stakeholdersup to date about the status of the change to applications, procedures, processes, system andservice parameters, and the underlying platforms.AI6.5 Change Closure and DocumentationWhenever system changes are implemented, update the associated system and userdocumentation and procedures accordingly. Establish a review process to ensure completeimplementation of changes.

Implantadores y Evaluadores del Gobierno de las Tecnologíasde la Información en las Universidades, Baeza 2013S5: Enterprise Governance of IT COBIT 5 16Val IT: Projects, Programmes, Portfolios and ValueValue – the end business outcome expected from an IT-enabled businessinvestment where such outcomes may be financial, non-financial or acombination of the anagementPortfolio – a suite of businessprogrammes managed to optimiseoverall enterprise valueProgramme – a structured grouping ofprojects that are both necessary andsufficient to achieve a business outcomeand deliver value, including businesschange management, businessprocesses, people, etc. (primary unit ofinvestment within VALIT)Project – a structured set of activitiesconcerned with delivering a definedcapability based on an agreedschedule and budget (that is necessarybut not sufficient to achieve a requiredbusiness outcome)