IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government

Vernon JohnSITA

2

Enterprise Governance

Topics

PreambleBrief overview of COBIT

Overall COBIT Framework IT Governance Capability Maturity

Assessment FrameworkAssessment ApproachAssessment Results

Importance and PerformanceGeneral observations

Conclusion

References:Control Objectives for information and related Technology (COBIT)

Capability performance management

+Risk Management

=Optimal delivery of IT

services (business value)

IT Governance

3

Preamble

IT Governance Capability Maturity Assessment Framework

Development of templates (assessment and reports)

This presentation provides insight into:• IT Governance Capability Maturity Assessment Framework

and assessment approach• Measurement outcomes

13 government departments were measured

•Board briefing on IT Governance 2nd Edition, ITGI

•COBIT 4.1 ® Management Guidelines•COBIT Implementation Guide• IT Governance Implementation Guide, ITGI•Maturity Measurement –Fit the Purpose, Then The Method, Guldentops E, ISACA, 2003

•4 x National Departments•4 x Provincial Departments•5 x Municipalities

Objective: Gauge IT Governance capability maturity levels

4

Brief overview of COBIT

A set of accepted best practices for IT management and guidance materials for IT Governance

Developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

According to ISACA, “COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework

Control Objectives

(> 200)

Control Test Statements

(> 800)

Processes(34)

Domains(4)

5

Overall COBIT FrameworkBusiness objectives

Governance objectives

Deliver and

Support

Monitorand

Evaluate

Acquireand

Implement

Information

ITResources

Planand

Organise

PO1 Define a strategic IT plan.PO2 Define the information

architecture.PO3 Determine technological

direction.PO4 Define the IT processes,

organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management

aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain

application software.AI3 Acquire and maintain

technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions

and changes.

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and

incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical

environment.DS13 Manage operations.

Provide

Business Processes

To

For achieving

Applications

EfficiencyIntegrity Effectiveness

ComplianceReliability

Confidentiality

Availability

InfrastructureInformation

People

6

COBITEnvision Solution

Raise awareness

Determine Target Capability Maturity

Plan Solution

Assess Current Capability Maturity

PO1..POn

AI1…AIn

DS1…DSn

ME1…MEn

Awar

enes

s an

dC

omm

unic

atio

n

Polic

ies,

Pla

ns

and

Proc

edur

es

Goa

l set

ting

and

Mea

sure

men

t

Maturity ModelAnalyse Gaps

and Identify Improvement

Initiatives

Skill

s an

d Ex

pert

ise

Res

pons

ibili

ty

and

Acc

ount

abili

ty

Tool

s an

d A

utom

atio

n

Attributes

Accountable

Responsible

Audited

Control Weaknesses

Technology Used

Vulnerabilities(Technology)


Importance

Performance

7


Raise awareness


Plan Solution


PO1..POn

AI1…AIn

DS1…DSn

ME1…MEn

Awar

enes

s an

dC

omm

unic

atio

n

Polic

ies,

Pla

ns

and

Proc

edur

es

Goa

l set

ting

and

Mea

sure

men

t



Initiatives

Skill

s an

d Ex

pert

ise

Res

pons

ibili

ty

and

Acc

ount

abili

ty

Tool

s an

d A

utom

atio

n

Attributes

Accountable

Responsible

Audited

Control Weaknesses

Technology Used



Importance

Performance

1 -Not at all2 - Can survive without it if need be3 - Make things easier4 - Very significant5 - Critical

8


Raise awareness


Plan Solution


PO1..POn

AI1…AIn

DS1…DSn

ME1…MEn

Awar

enes

s an

dC

omm

unic

atio

n

Polic

ies,

Pla

ns

and

Proc

edur

es

Goa

l set

ting

and

Mea

sure

men

t



Initiatives

Skill

s an

d Ex

pert

ise

Res

pons

ibili

ty

and

Acc

ount

abili

ty

Tool

s an

d A

utom

atio

n

Attributes

Accountable

Responsible

Audited

Control Weaknesses

Technology Used



Importance

Performance

1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well

9


Raise awareness


Plan Solution


PO1..POn

AI1…AIn

DS1…DSn

ME1…MEn

Awar

enes

s an

dC

omm

unic

atio

n

Polic

ies,

Pla

ns

and

Proc

edur

es

Goa

l set

ting

and

Mea

sure

men

t



Initiatives

Skill

s an

d Ex

pert

ise

Res

pons

ibili

ty

and

Acc

ount

abili

ty

Tool

s an

d A

utom

atio

n

Attributes

Accountable

Responsible

Audited

Control Weaknesses

Technology Used



Importance

Performance

COBIT 4.1 Maturity Attribute Table

Note: Assessment results excluded from this presentation

10

Assessment approach

SITA facilitated a two-day work-session with IT representatives During the work-session the following was done

Created an awareness of IT Governance and our assessment framework and approach Presented on the 34 COBIT processes and control objectives. Thereafter, the representatives we given an

opportunity to:• Provide information related to the IT process such as Accountability, Responsibility and whether or not the process has been

Audited• Rate test statements for control objectives ito Importance and Performance • Rate the process maturity attributes per IT process ito how well they perceived that they are currently performing and where they

would like to perform. The facilitator probed participants to ensure that they understand the process and control objectives and to support a more informed scoring

• The ratings were used to calculate the overall maturity levels A sample of evidence was requested by the SITA assessment team from the Department representatives to

support ratings provided The assessment outcomes were analysed and initiatives to improve IT governance were identified and

prioritised

Given the short duration of the exercise the assessment was not done in too low a level of detail, but it was sufficient to provide a sense of the IT Governance maturity level and identify areas for

improvementReport

11

Assessment resultsImportance and Performance Per Domain

Legend

Importance (Imp)1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical

Performance (Perf)1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well

PO AI DS ME

Imp 4.08 4.05 3.85 3.87

Perf 2.02 2.12 1.82 1.72

0.000.501.001.502.002.503.003.504.004.505.00

Leve

l

All

PO AI DS ME

Imp 4.18 4.34 4.09 3.98

Perf 2.42 2.63 2.12 2.10

0.000.501.001.502.002.503.003.504.004.505.00

Leve

l

National

PO AI DS ME

Imp 4.28 4.20 4.09 4.19

Perf 1.90 1.88 1.67 1.52

0.000.501.001.502.002.503.003.504.004.505.00

Leve

l

Provincial

PO AI DS ME

Imp 3.78 3.61 3.38 3.45

Perf 1.73 1.85 1.67 1.53

0.000.501.001.502.002.503.003.504.004.505.00

Leve

l

Local

12

All Nat Pro Loc All Nat Pro Loc All Nat Pro Loc All Nat Pro Loc

Imp 4.08 4.18 4.28 3.78 4.05 4.34 4.20 3.61 3.85 4.09 4.09 3.38 3.87 3.98 4.19 3.45

Per 2.02 2.42 1.90 1.73 2.12 2.63 1.88 1.85 1.82 2.12 1.67 1.67 1.72 2.10 1.52 1.53

0.000.501.001.502.002.503.003.504.004.505.00

Level

Assessment resultsImportance and Performance Per Domain

Legend



PO AI DS ME

13

Assessment results Average Importance and Performance Per Process Per Domain

Legend



Process Perf Imp % Diff Process Perf Imp % Diff

PO1 Define a Strategic IT Plan 2.17 4.14 91.04% DS1 Define and Manage Service Levels 1.77 3.72 109.82%PO2 Define the Information Architecture 1.50 3.93 161.86% DS2 Manage Third-party Services 2.00 3.98 99.48%PO3 Determine Technological Direction 1.93 3.97 105.59% DS3 Manage Performance and Capacity 1.73 3.96 129.38%PO4 Define the IT Processes, Organisation and Relationships

2.03 4.13 103.05% DS4 Ensure Continuous Service 1.51 4.44 195.18%

PO5 Manage the IT Investment 2.42 3.95 63.49% DS5 Ensure Systems Security 1.91 4.07 112.99%PO6 Communicate Management Aims and Direction 2.06 4.01 94.89% DS6 Identify and Allocate Costs 1.46 2.62 79.66%PO7 Manage IT Human Resources 2.28 4.16 82.32% DS7 Educate and Train Users 1.86 3.62 94.81%PO8 Manage Quality 1.72 4.18 143.01% DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%PO9 Assess and Manage IT Risks 1.99 4.27 114.93% DS9 Manage the Configuration 1.67 3.69 120.55%PO10 Manage Projects 2.06 4.08 98.39% DS10 Manage Problems 1.80 4.12 128.26%PO Average 2.02 4.08 102.56% DS11 Manage Data 1.79 4.05 127.02%AI1 Identify Automated Solutions 2.01 4.06 101.94% DS12 Manage the Physical Environment 2.26 3.97 75.40%AI2 Acquire and Maintain Application Software 2.08 3.92 88.04% DS13 Manage Operations 1.74 3.77 116.24%AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09% DS Average 1.82 3.85 111.71%AI4 Enable Operation and Use 2.11 3.89 84.62% ME1 Monitor and Evaluate IT Performance 1.79 3.80 112.78%AI5 Procure IT Resources 2.87 4.24 47.91% ME2 Monitor and Evaluate Internal Control 1.63 3.79 132.37%AI6 Manage Changes 1.88 4.15 121.47% ME3 Ensure Compliance With External

Requirements1.73 3.87 123.46%

AI7 Install and Accredit Solutions and Changes 1.85 3.99 116.00% ME4 Provide IT Governance 1.71 4.03 135.40%Average AI 2.12 4.05 91.18% ME Average 1.72 3.87 125.78%

14

Assessment resultsVery Significant Processes (17)

Legend

Importance1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical

Performance1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well

Process with highest Performance (17)

Process Perf Imp % Diff

DS4 Ensure Continuous Service 1.51 4.44 195.18%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%AI5 Procure IT Resources 2.87 4.24 47.91%PO8 Manage Quality 1.72 4.18 143.01%

PO7 Manage IT Human Resources 2.28 4.16 82.32%AI6 Manage Changes 1.88 4.15 121.47%PO1 Define a Strategic IT Plan 2.17 4.14 91.04%PO4 Define the IT Processes, Organisation and Relationships

2.03 4.13 103.05%

DS10 Manage Problems 1.80 4.12 128.26%

AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09%

PO10 Manage Projects 2.06 4.08 98.39%DS5 Ensure Systems Security 1.91 4.07 112.99%DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%AI1 Identify Automated Solutions 2.01 4.06 101.94%DS11 Manage Data 1.79 4.05 127.02%ME4 Provide IT Governance 1.71 4.03 135.40%PO6 Communicate Management Aims and Direction 2.06 4.01 94.89%


AI5 Procure IT Resources 2.87 4.24 47.91%PO5 Manage the IT Investment 2.42 3.95 63.49%PO7 Manage IT Human Resources 2.28 4.16 82.32%DS12 Manage the Physical Environment 2.26 3.97 75.40%

PO1 Define a Strategic IT Plan 2.17 4.14 91.04%DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%AI4 Enable Operation and Use 2.11 3.89 84.62%AI2 Acquire and Maintain Application Software 2.08 3.92 88.04%

PO6 Communicate Management Aims and Direction 2.06 4.01 94.89%

PO10 Manage Projects 2.06 4.08 98.39%

AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09%PO4 Define the IT Processes, Organisation and Relationships 2.03 4.13 103.05%AI1 Identify Automated Solutions 2.01 4.06 101.94%DS2 Manage Third-party Services 2.00 3.98 99.48%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%PO3 Determine Technological Direction 1.93 3.97 105.59%DS5 Ensure Systems Security 1.91 4.07 112.99%

15

Assessment resultsVery Significant Processes (17)

Legend

Importance1 - Not at all2 - Can survive without it (if need be)3 - Make things easier4 - Very significant5 - Critical

Performance1 - Some aspects rarely2 - Some aspects sometimes3 - All aspects sometimes4 - Parts are always done well5 - All is always done well

Process with highest “Differences” (17)


DS4 Ensure Continuous Service 1.51 4.44 195.18%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%AI5 Procure IT Resources 2.87 4.24 47.91%PO8 Manage Quality 1.72 4.18 143.01%

PO7 Manage IT Human Resources 2.28 4.16 82.32%AI6 Manage Changes 1.88 4.15 121.47%PO1 Define a Strategic IT Plan 2.17 4.14 91.04%PO4 Define the IT Processes, Organisation and Relationships

2.03 4.13 103.05%

DS10 Manage Problems 1.80 4.12 128.26%

AI3 Acquire and Maintain Technology Infrastructure 2.04 4.11 101.09%

PO10 Manage Projects 2.06 4.08 98.39%DS5 Ensure Systems Security 1.91 4.07 112.99%DS8 Manage Service Desk and Incidents 2.16 4.07 88.42%AI1 Identify Automated Solutions 2.01 4.06 101.94%DS11 Manage Data 1.79 4.05 127.02%ME4 Provide IT Governance 1.71 4.03 135.40%PO6 Communicate Management Aims and Direction 2.06 4.01 94.89%


DS4 Ensure Continuous Service 1.51 4.44 195.18%PO2 Define the Information Architecture 1.50 3.93 161.86%PO8 Manage Quality 1.72 4.18 143.01%ME4 Provide IT Governance 1.71 4.03 135.40%

ME2 Monitor and Evaluate Internal Control 1.63 3.79 132.37%DS3 Manage Performance and Capacity 1.73 3.96 129.38%DS10 Manage Problems 1.80 4.12 128.26%DS11 Manage Data 1.79 4.05 127.02%

ME3 Ensure Compliance With External Requirements 1.73 3.87 123.46%

AI6 Manage Changes 1.88 4.15 121.47%

DS9 Manage the Configuration 1.67 3.69 120.55%DS13 Manage Operations 1.74 3.77 116.24%AI7 Install and Accredit Solutions and Changes 1.85 3.99 116.00%PO9 Assess and Manage IT Risks 1.99 4.27 114.93%DS5 Ensure Systems Security 1.91 4.07 112.99%ME1 Monitor and Evaluate IT Performance 1.79 3.80 112.78%DS1 Define and Manage Service Levels 1.77 3.72 109.82%

16

Overall average

The overall average level was between a level 1 and a level 2. According to the COBIT Generic Maturity Model the level 1 and 2 description are as follows “1 Initial/Ad Hoc—There is evidence that the enterprise has recognised that the

issues exist and need to be addressed. There are, however, no standardised processes; instead, there are ad-hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganised.

2 Repeatable but Intuitive—Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. “

17

Observations

Participants gave their full cooperation and were well receptive to the final reports The was an awareness of IT Governance at a conceptual level but limited knowledge on the details as

stipulated in COBIT or on IT Governance implementation Participants understood the importance of IT Governance and acknowledged that they have a key role

to play in the implementation thereof. However, in many instances emphasis was placed more on “operational responsibilities” being a higher priority than on IT Governance type responsibilities.

Some participants were not able to effectively indicate who was accountable and responsible for the execution of IT processes

Very few had explicit IT Governance and IT Process frameworks Some formal IT policies, processes, procedures or plans have been instituted, however this was not

done in the context of an overall IT Governance framework and furthermore there was limited periodic reviews done

Some IT processes underwent auditing albeit that some are done on ad hoc basis There are limited tools used in support of executing the IT processes. Desktop productivity tools are

primarily used and has limited functionality to support effective and efficient execution of the IT processes

Unavailability of funds

18

Conclusion

COBIT is a very comprehensive IT Governance framework and there is a need to simplify the implementation of COBIT IT Governance within Government departments, which could be done by: Establishing a “minimum” IT Governance framework Compiling an implementation method for the “minimum” IT Governance

framework Compiling and making available e.g. generic policies and process that are

aligned to the “minimum” framework and that could be easily adapted Initiating IT Governance practitioner training Conducting periodic assessments

Thank You

IT Governance Capability Maturity within Government

Documents

Transcript of IT Governance Capability Maturity within Government