ISACA and COBIT 2019 Framework

Questions and Answers

Which activity is the responsibility of the board of directors under the COBIT framework?

• Setting the direction through prioritization and decision making. (correct)
• Managing daily IT operations.
• Building and running IT activities.
• Monitoring activities only.

What do digitized enterprises rely on for survival and growth, according to the document?

• Physical assets.
• Traditional marketing methods.
• Information and technology (I&T). (correct)
• Manual labor.

What is the primary focus of EGIT in relation to digital transformation?

• Exclusively technology innovation.
• Value delivery and business risk mitigation. (correct)
• Purely cost reduction.
• Just regulatory compliance.

Which of these is the correct domain in which Governance objectives are grouped in COBIT?

Evaluate, Direct and Monitor (EDM) (D)

What is the main role of Management objectives within the COBIT framework?

To plan, build, run, and monitor activities in alignment with governance direction. (A)

What should enterprise governance of information and technology (EGIT) implementation cover?

Full end-to-end business and IT functional areas of responsibility. (D)

What does the COBIT framework define regarding IT-related decisions?

It defines the components that describe which decisions should be taken, how, and by whom. (B)

What benefit does COBIT provide to executive management?

Guidance on how to organize and monitor the performance of I&T. (A)

Which of the following is an external stakeholder that can benefit from COBIT?

Regulators (D)

What is the role of design factors in COBIT?

To influence the design of an enterprise's governance system, tailoring it for success (C)

How do design factors affect the selection of governance and management objectives?

Design factors make some objectives more important than others, leading to higher target capability levels (C)

What is the COBIT principle related to enterprise processes?

That they describe an organized set of practices and activities to achieve specific IT related objectives. (B)

What is the relationship between COBIT's goals cascade and enterprise strategy?

A goals cascade supports enterprise goals, helping to prioritize management objectives based on enterprise goals. (A)

What is a function of the 'Managed Enterprise Architecture' (APO03) objective in COBIT?

Representing the different building blocks that make up the enterprise. (D)

According to COBIT, what do strategic alignment and performance measurement ensure?

That I&T-related objectives align with enterprise goals. (A)

What is the purpose of Managed Security Services (DSS05) in COBIT?

To minimize the business impact of operational information security vulnerabilities and incidents. (B)

What is the result of good information Ethics of organization when designing a business model?

Meeting the Enterprise Strategies and Goals. (B)

What component of a governance system translates desired behaviors into practical guidance for day-to-day use?

Principles, policies and frameworks (C)

If an enterprise is said to have a 'focus on growing revenues', which Enterprise Strategy are they employing?

Growth/Acquisition (C)

What's a primary aspect of the EGIT program?

The importance of having good relations and collaboration with multiple entities. (D)

What is true of Enterprises which use a DevOps model? Each process should be capable of using a DevOps working method.

A governance system variant could be applied to several groups with the COBIT framework. (B)

Which of the following best describes governance within the context of COBIT

Overall goals, that are then delegated to operational divisions. (B)

If an enterprise is operating in a geopolitical situation of high international conflict, which design factor best represents this situational risk?

Threat Landscape. (B)

In the pre-planning phase of an EGIT implementation, what is among the first steps to be undertaken?

Finalizing the stakeholders which will be participating. (A)

Which COBIT principle emphasizes the need for a governance system that can adapt to changes such as new technologies or strategies?

Dynamic (D)

Which of these is not suggested to perform when improving a system that has COBIT as part of it's framework?

Realize long term goals for the project. (D)

Which situation would require highly capable security related processes?

High threat landscape. (C)

What is the aim of the 'ensured benefits delivery' EDM02 subcategory?

Optimal value output and accurate understanding of costs benefits. (A)

What benefit does COBIT offer to business managers?

Understanding how to obtain required I&T solutions and exploit new technology. (A)

Which activities falls under the Monitor, Evaluate and Assess (MEA) domain?

Performance monitoring and conformance of I&T against targets. (A)

What's a key part of realizing a successful and continuous maintenance of governance through COBIT?

That the program should be operated as normal business practice, like all standard business functions. (D)

What needs to occur in the final steps of designing a tailored government system?

Analyze any conflicts, and design a approach based on key tasks and a overall framework. (C)

What is the function of Risk Optimization in a business model?

Preserve and protect value via IT implementations. (B)

What does I&T include according to the COBIT framework?

The technology and information processing to achieve goals. (C)

The use of DevOps in operations and solution development would most likely require:

a variant of certain generic COBIT processes. (B)

What is the primary result of using Design Factors when improving various systems?

The enterprise is positioned for success through good use of I&T. (C)

Flashcards

What is ISACA?

A global association helping individuals and enterprises achieve the positive potential of technology.

What is COBIT® 2019 Framework?

Primarily an educational resource for enterprise governance of information and technology (EGIT), assurance, risk and security professionals.

What are the benefits of EGIT?

Achieving alignment and value from I&T, risk optimization, and resource optimization.

What is COBIT?

A framework for the governance and management of enterprise information and technology, aimed at the whole enterprise.

What does Governance Ensure?

Ensure stakeholder needs are evaluated, direction is set, and performance/compliance are monitored

What are the COBIT® 2019 Principles based on?

Principles that describe the core requirements of a governance system and principles for a governance framework.

What is the first principle for a governance system?

Each enterprise needs a governance system to satisfy stakeholder needs and generate value from I&T.

What is the fifth principle for a governance system?

A governance system should be tailored to the enterprise's needs, using design factors.

What should a governance framework be?

It should be based on a conceptual model, open and flexible, and align to major standards.

What components help build a Governance System?

Process, organizational structures, policies, information flows, culture, skills, and infrastructure.

What are Design Factors?

Factors that influence the design of an enterprise's governance system and position it for success in the use of I&T.

Name some Design Factors

Enterprise strategy, goals, risk profile, I&T-related issues, and threat landscape.

What is a Goals Cascade?

Stakeholder needs translated into an enterprise's actionable strategy.

What actions encompass the EDM Domain?

Evaluate, direct, and monitor strategic options.

Name the 4 Management Domains

Align, plan, and organize; build, acquire, and implement; deliver, service, and support; monitor, evaluate, and assess.

What is a Capability Level?

The measure of how a process is implemented and performing.

What is a focus area?

A governance topic, domain, or issue that can be addressed by governance objectives and components.

What is a Program Risk assessment?

Identifies potential risks to the EGIT program's success and ways to mitigate them.

What is the purpose of the DSS01?

To deliver I&T operational product and service outcomes as planned.

What is the Cloud sourcing model for IT?

The enterprise maximizes the use of the cloud for providing IT services to its users.

Study Notes

• ISACA is nearing its 50th year as a global associaiton

ISACA's Purpose

• ISACA exists to help individuals and enterprises achieve the positive poteintial of technology
• IT equips professionals with knowledge, credientails, education, and community in order to advance careers and transform organizations
• ISACA leverages the expertise of its half-million professionals in fields like info and cyber security, governance, assurance, risk, and innovation
• ISACA's CMMI institute helps advance innoviation through tehcnology
• ISACA has presence in more than 188 countries with more than 217 chapters and offices in the US and China

Disclaimer

• ISACA created COBIT 2019 Framework as an educational resource for enterprise governance of info/tech, assurance, risk, and security professionals
• ISACA makes no claim that the use of the Work will assure a successful outcome
• A professional should apply their own professional judgement

Introduction to Enterprise Governance of Information and Technology (EGIT)

• I&T is crucial for support, sustainability, and growth of enterprises due to digital transformation
• Stakeholder value creation includes realizing benefits at an optimal resource cost while optimizing risks
• Centrality of I&T for risk management and value generation has led to focus on EGIT
• EGIT is an integral part of corporate governance and is exercised by the board

Benefits of Information and Technology Governance

• EGIT is concerned with value delivery from digital transformation and the mitigation of business risk resulting from that transformation
• Successful EGIT adoption will have the following
  • Benefits realization includes creating value for the enterprise through I&T, maintaining/increasing value from existing investments while eliminating initiatives not creating sufficient value
  • The basic value of I&T is the delivery of fit-for-purpose services and solutions on time and within budget, generating financial and non financial benefits aligned with business values
    • IT value should show the impact and contribution of IT-enabled investment in the enterprise's value creation
  • Risk optimization is addressing the business risks associated with using, owning, operating, involving, influencing, and adopting I&T
    • Manageing I&T-related risk should ensure a focus on IT by the enterprise
  • Resource optimization makes sure appropriate capabilities are in place to execute plans providing sufficient, appropriate and effective resources
    • Resource optimizations ensure and integrated, economical IT infrastructure is provided Strategic alignment and performance measurements are important for all activities aligning I&T-related objectives w/ enterprise goals

COBIT as an I&T Governance Framework

• Best-practice frameworks have been developed to support understanding, designing and implementing EGIT
• COBIT has developed into a broader and more comprehensive I&T governance and management framework that's generally accepted

What is COBIT? (and What Isn't?)

• COBIT is a framework for governance and management of enterprise information and technology aimed at the whole enterprise Enterprise I&T is all the technology and information processing to achieve goals, wherever it happens

Guiding Principles

• Governance ensures that:

  • Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives
  • Direction is set through prioritization and decision making
  • Performance and compliance are monitored

• Management:

  • Plans, builds, runs, and monitors
  • Aligned with direction set by governance
  • Achieves enterprise objectives

• COBIT defines components to build and sustain a governance system:

  • Processes
  • Organizational structures
  • Policies and procedures
  • Information flows
  • Culture and behaviors
  • Skills and infrastructure

Principles for a Governance System

• Enterprises require a governance system to satisfy needs and generate value through I&T balancing benefits, risk, and resources with an actionable strategy
• A governance system for I&T is built of components working together
• Governance systems should be tailored, covering the enterprise end-to-end, distinguishing governance from management, and be dynamic

Three principles for a governance framework include the following aspects

• Based on a conceptual model
• Open and flexible
• Aligned to major standards

COBIT 2019 improvements include

• Flexibility and openness using design factors for tailoring
• Currency and relevance referencing in alignment to outside concepts
• Prescriptive applications constructing the concept to match what's needed
• Performance management of IT integrating the maturity with CMMI

COBIT's Product Family

• The product is open-ended and designed for customization. The products is include the following
  • COBIT 2019 Framework: Intro and Method
  • COBIT 2019 Framework: governance and management objectives
  • COBIT 2019 design guide: Designing Information and Technology Governance Solution
  • COBIT 2019 Implementation Guide

Focus Areas

• Identified content contains detailed guidance on specific things, it's based on COBITS, is aligned to several standards and frameworks, with content updates for users

Terms and Concepts

• A governance/management objective is always related to one process + some related components
• Governance objectives correspond to governance processes in dark blue, whereas management ones are lighter, executive boards vs senior management

COBIT is Grouped into Five Domains

• EDM (evaluate, direct, monitor): Governance options in domain. Governing body evaluated, directs senior management, and monitors achievement of strategy
• APO (align, plan, organize): Overall organization, strategy, activities involved for I&T
• BAI (build, acquire, implement): Definition/acquisition/implementation of the solutions of I&T and integration in business processes
• DSS (deliver, service, support): Delivery/support of I&T services, security included
• MEA (monitor, evaluate, assess): Monitoring and conformance of I&T by internal and external requirements

Components of a Governance System

• Required to satisfy governance and objectives
• Components work to provide good operations

Components Breakdown

• Processes are organized practices and activities achieving objectives and producing support
• Organizational structures are key decision-making entities
• Principles, policies, frameworks translate desired behavior from management
• Information is important to the function of the governance system
• Culture/ethics/behavior
• People/competencies/skills
• Services, infrastructure, applications are inclusive of technology/applications from processing

Designs Factors

• Various factors that can influence a governance system for an enterprise
• This publication distinguishes three different types of impact that may vary in differing styles (see publication for examples)
  • Management Objective Priority/Selection
  • Components Variation
  • Need for specific focus area

Key Design Factors

• Enterprise strategy design
• Enterprise goals design
• Risk Profile
• I&T-related issues
• Threat landscape
• Compliance Requirements
• Role of IT
• Sourcing model for IT
• IT implementation methods
• Technology Adoption strategy
• Enterprise size

Goals Cascade

• Stakeholder needs turns into actionable strategy.
• Supports governance while prioritizing goals
• Used thoroughly in COBIT versions

COBIT Product Family

• COBIT standards and guidelines used include:
  • American web services
  • CMMI development
  • HITRUST common security framework
  • IOS/IEC standards
  • ISF standards for IS
  • ITIL
  • US national standards of technology

COBIT and Performance Managment

• performance managment is and essential part of goverence and managment system

Capability Level Model Alignments

• largely lines up with CMMI developement, the processes are assocated with "Capability Levels" and the focus areas are associated with "Maturity levels
• Maturity levels are associated with focus areas, and with what is achieved once all capabilities are achieved
• capability schemes uses a CMMI setup. It measures how well a process performs well
• capability levels = a measure of how well a process is in order and performed
• COBIT core models assigns capability levels to ensure activities are achieved

Ratings of process activities from low-to-high

• not
• partially
• largely
• fully

Maturity levels express performance without granularity