COBIT ® provides guidance to assist enterprises in making key governance system design decisions to successfully achieve enterprise goals and objectives. This is accomplished by focusing on objectives specific to both the governance and management components of a governance system. Organizations vary in how they approach, design and define the parameters for how governance and management operate within an enterprise. COBIT ® 2019 provides guidance on how governance and management should be defined within an enterprise.
Governance ensures that: 1
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve enterprise objectives. 2
Each governance and management objective includes a process component, which encompasses several practices. Each of these practices have activities that help ensure the achievement of the associated processes. To help measure the achievement of an enterprise’s program (e.g., privileged access management) and its contribution to the overall enterprise objective, a Capability Maturity Model Integration (CMMI)–based process capability scheme (ranging from 0-5) can be used However, using COBIT, which can equally measure the same enterprise program achievements, is done using a concept called “COBIT performance management” (CPM) Performance management could represent how well the governance and management system and all the components of an enterprise work and how they can be improved to achieve the required capability and maturity levels. The CPM model largely aligns with and extends CMMI ® Development V2.02 concepts.
Capability and maturity levels are assigned to all process activities, enabling clear definition of processes at different levels. This can be effective through a thorough assessment of the enterprise program and capabilities using performance management. There are some techniques which can help in the thorough assessment of an enterprise program. One notable technique, which is effective and has stood the test of time in the field of risk management is the technology risk assessment (TRA). The definition of a TRA varies from organization to organization, however, it maintains the same functionality. This assessment examines the key areas of people, processes and technology in relation to an enterprise program and measures their effectiveness. Thus, the TRA can provide a risk score rating based on identifying gaps in its evaluation. The application of CPM can seem like a daunting task to apply to assessments or techniques performed by risk practitioners for their enterprise. However, breaking it down into various actionable steps makes this endeavor more achievable and manageable. Those steps are outlined here.
During the execution of an assessment, it is important to ensure that the stakeholders, whose processes and technology are being reviewed and measured, fully understand what metrics are being evaluated. For example, a possible metric could assess how many privileged accounts are not managed by a privileged access management tool. This also elicits full participation during the assessment process and helps ensure successful completion of the exercise. This is also the time to introduce the COBIT 2019 framework, which will be used to effectively measure the capabilities and maturity levels of the enterprise program.
Understanding the various processes and technologies managed by these stakeholders helps determine the scope of the assessment and guides the exercise more effectively. This, in turn, helps prioritize key areas relevant to the stakeholders and the enterprise to be assessed.
Tailoring the process activities to the appropriate capability and maturity levels is critical to the success of the assessment. This is included in the COBIT ® 2019 Framework Governance and Management Objective guide.
The process activities can operate at various capability and maturity levels, ranging from 0 to 5. The capability level is a measure of how well a process is implemented and performing (figure 1), while the maturity level, which is associated with focus areas, is a measure of how these processes contained in the focus area achieve that particular capability level, through the collections of substantial underlying evidence to support enterprise goals (figure 2). 3
Figure 1—Capability Level for Processes
Figure 2—Maturity Level for Focus Area
Providing a score rating for capability and maturity levels can be achieved using various methods. One such method is using the available ratings outlined in the COBIT 2019 framework. The ratings utilize descriptors such as: fully, largely, partially, or not, that have varying percentages assigned to each one.
Another score rating used could be through a formal method leading to a binary pass/fail set of ratings. However, a less formal method (often used in performance improvement contexts) works better with a value range from 1-5.
For the assessment, based on the maturity of the process, a value of 1-5 will be assigned to the capability and maturity levels. Those values are: 4
These values are rated subjectively, based on interviews with stakeholders, reviews of executed procedure documents, oversight programs and execution of an enterprise’s goals and objectives.
Obtaining the results from the assessment is a crucial step in helping the enterprise improve in areas with low score ratings. The areas noted with low score ratings are documented with recommendations, highlighting the enterprise’s strengthens and weaknesses. The results are provided to the enterprise’s leadership and stakeholders for review and prioritization.
The areas with low score ratings also eventually make their way into a repository as a managed self-identified (MSI) issue or finding. This ensures that the issues or findings are tracked to resolution and helps achieve an improved future-state process.
Following these steps consecutively helps the practitioner perform an effective capability and maturity assessment for an enterprise on the governance and management processes and systems.
CPM denotes how well the governance and management processes and systems function and how they can be improved to meet the required level.
No matter the requirement the practitioner intends to achieve, it is imperative to keep in mind that COBIT is a reference model to be used as you see fit, based on your organization’s goals and objectives. It is the user’s choice to determine how it is utilized.
Is a cyber governance, risk and compliance integration professional in the financial services industry. His experience includes driving identity and access management risk and controls initiatives, cyberrisk management, regulatory compliance and cybersecurity assurance (US Sarbanes Oxley Act [SOX], Serivce Organization Controls [SOC] and IT general controls audit [ITGC] assessment and audit). His expertise is in information security and technology, cloud security and enterprise program development, management and governance. He is attuned to emerging security trends, which enhances his ability to quickly assess challenges, capture the vision of the desired state, and build stakeholder relationships, both internal and external to an organization.