IT GOVERNANCE FRAMEWORK : COBIT,

BS7799, ITIL

EITRM: Group 7 Section A

Submitted By:
Aditya Dogra | Chandraboli Roy Choudhary | Dharani Dharan | Himal Vaghela |
Portia Khan

INTRODUCTION - COBIT
Control Objectives for Information and Related Technology (CobiT) is a set of best practices

for Information Technology management developed by ISACA (Information Systems Audit &
Control Association) and IT Governance Institute
It is a comprehensive framework that helps enterprises to create optimal value from IT by

maintaining a balance between realizing benefits and optimizing risk levels and resource
use.
It enables information and related technology to be governed and managed in a holistic

manner for the whole enterprise, taking in the full end to end business and functional areas
of responsibility, considering the IT-related interests of internal and external stakeholders.
The principles and enablers are generic and useful for enterprises of all sizes, whether

commercial, not-for-profit or in the public sector.

ADVANTAGES OF USING COBIT

Mitigate organizational risk for IT and business as a whole
Strengthen security
Ease the auditing and compliance burden
Reduce cost while improving the consistency of IT delivery
Helps maximize the trust in, and value from, enterprise information and technology
Helps address the needs of stakeholders across the enterprise
Clarifies goals for more effective decision making
Provides a systematic approach and common vocabulary for addressing todays most

challenging aspects of meeting enterprise performance goals

Provides an end-to-end framework that integrates other approaches and standards, and

simplifies complex approaches

DISADVANTAGES OF COBIT

It requires a great deal of knowledge to understand its framework before it could be

applied as a tool to support IT governance

Its considered to be a specialist method with a lot of criteria and it requires a certain

degree of expertise to use the methodology effectively.

The level of detail available in COBIT can pose a practical problem, e.g. it has 318

recommended control objectives. Satisfying all of these can prove to be a challenge.

It does not provide more details about how processes should be implemented to support

internal control.

APPLICATION OF COBIT IN A HIGH PUBLIC EDUCATIONAL INSTITUTION

Implementation and use of COBIT for IT Governance in the Viana do Castelo Polytechnic
Institute in Portugal
It constitutes of six organic units or schools
Technology and High School Administrati
Agrarian High School
Education High School

Management Sciences High School

Central Services and Social Services

Nursing High School

THE DIFFERENT DEPARTMENTS

Management of works and Infrastructure
Resources and Technical and Educational Resources(Library,
Educational Spaces).
Human Resources
Management and Improvement System
Information Systems Management
Economic-financial management (Supply, Accounting and Treasury and
State Property)
Health and Safety
Academic
Project Management
Promotion and Image

THE ISSUES FACED BY THE ORGANIZATIONS

Integrating crossadministrative
services

Difficulty of distance
processes

Need for completion

and circulation of
documents in paper
format for
monitoring the
trend of
administrative
processes

Existence of several
dispersed
information systems

Difficulty of
monitoring the
services
performance

Difficulty in
controlling the
backups

Organic set of IS
secured and
managed by the
Information
Department (ID) of
each Organic Unit
creates problems

THE FOUR COBIT DOMAINS

Plan and Organize the

Information Systems

Acquire and Implement

Information Systems

Deliver and Support of the

Information Systems

Monitor and Evaluate the

Information Systems

PLAN AND ORGANIZE THE INFORMATION SYSTEMS

Activities of the Phase

Align the
business
objectives
with the IT
objectives

Elaborate an
IT strategic
plan

Elaborate a
tactical plan
for the IT

Implementatio
n of IT
Projects

Output

IT strategic
plan

IT quality
plan

Procedures
to manage
projects

PROCEDURE TO ELABORATE A TACTICAL PLAN FOR

INFORMATION TECHNOLOGY
Three Columns:
Description
Documents and Records
Associated
Responsibility

ACQUIRE AND IMPLEMENT INFORMATION SYSTEMS

Procedure to
Acquire components for the technological

infrastructure
Install
Reinstall
Configure components in the technological

infrastructure
Maintenance of the technological infrastructure

components

DELIVER AND SUPPORT OF THE INFORMATION SYSTEMS

Manage Incidents in the technological infrastructure
Effective availability of procedures for IT problems to different users
Manage the Data of the technological infrastructure
Maintain data and provide procedures to manage the digital library, backups and recovery in order to
guarantee the quality
Manage the configuration of the technological infrastructure
Minimizes the number of occurrences and contributes to a larger velocity
Collection of the information of the components configurations in the technological infrastructure
Ensure Systems Security of the technological infrastructure
Need to maintain the integrity of the information and to protect the IT requesting security
management processes
Procedures to establish and maintain rules and security responsibilities, politics, standards and
Manage
Performance
Capacity
of the technological infrastructure
procedures
to act in and
the IT
field
Guarantee the quality of the services available by the IT
Acting plan and capacity of the technological infrastructure components in way to be tested,
monitored
and appraised
Ensure
Continuous
Service of the components of the technological
infrastructure
To minimize the probability and the impact of the services interruption in the processes and functions
key in the use of IT
Manage Operations of the technological infrastructure components
Define procedures for backups, backup restoring, test and evaluate the security, the continuity and
the performance of the IT components

MONITOR AND EVALUATE THE INFORMATION SYSTEMS

Procedure to monitor and control the

components of the infrastructure

INDICATORS

INDICATORS
Average time to configure

infrastructure components
# of infrastructure components that

are no longer supportable,

# of hours lost per user per month

due to insufficient capacity planning

% of services meeting service levels
% of errors found during quality

assurance review of installation and

accreditation functions
application down time or data fixes

caused by inadequate testing

THE IMPROVEMENTS
Improved the quality of care by the administrative services
Controlled and managed the IS more efficiently
Reduced about 90% of the number of failures in
communication between services and user
Reduced the execution time of tasks by about 25%
Set policies and plans for managing the IT
Defined indicators to evaluate the performance of the
services in IT field
Efficient in monitoring and controlling the technological
infrastructure components

INFORMATION SECURITY AND BS7799 FRAMEWORK

Information security management focuses on protecting information assets from threats

like

Unauthorized disclosure (loss of confidentiality)

Unauthorized modification (loss of integrity)

Loss/Destruction (loss of availability)

Information assets can be protected by assessing threats and examining vulnerabilities

surrounding that asset, better decisions can be made to protect the business
BS7799 framework offers guidance to ask the pertinent questions about the business and

manage answers effectively

Two parts to the framework

BS7799/ISO17799: code of practice for information security

BS7799-2-2002: specification for information security management systems

The framework lists down 10 objectives and 127 controls

Some examples of these controls include security requirements for outsourced processes,

malicious software

PROS AND CONS OF BS7799

Advantages

Industry standard based on best practices

Helps approach information security in a structured manner

Offers flexibility, all 127 controls need not be implemented

Instills confidence in business partners

Ensures regulatory/legal compliance

Can be used by any size business in any sector

Disadvantages

Not enough detail for a standard

Only adhering to the standard doesnt secure the system, a lot is dependent on the implementation

Documentation can be tedious

Perceived cost

Lack of enabling technology

APPLICATION OF DS7799 IN BANKING SECTOR

The code is applicable to the bank as it
can be used by any size business within
any sector
BS7799
standar
d
essentia
lly
consists
of two
major
parts:

ISO/IEC 17799:2000 standard code of practice

BS7799-2: 1999 standard specifications for
implementing an
Information Security
Management System
(ISMS)

The best security practices consist of

127 security controls, which are split
into 10 major sections

1.

2.

3.

Achieving
Accreditation

Security policy
A documented information security policy
Security Organisation
A documented information security policy
Assets classification and control
Allocation of information security responsibilities within
the organisation
4.
Personnel Security

Security incident reporting and response

5.
Physical and environmental security

Virus detection and prevention controls

6.
Computer and Network Security

Business continuity planning process

7.
System Access Control

Control of proprietary software copying

8.
Systems Development and Maintenance

Critical record management processes

9.
Business Continuity Planning

Protection of personal data/privacy (data protection)

10. Compliance

Periodic compliance reviews

ACHIEVING BS7799 ACCREDITATION - PART ONE

Personnel Security - Security Incident
Reporting and Response
Integrity of staff criminal records check, psychometric test
No misuse of information Confidentiality agreements
In banks 60% of frauds are carried out by companys own
management

Computer and Network Security - Business

Continuity Planning Process
Operating software and other critical application back up
Networks need to be protected using firewalls
Wireless networks are not used as they are vulnerable to
attacks from malicious parties

System Access Control - Control Of

Proprietary Software Copying
Computers/servers with sensitive information should be in
secure offices
If public access, password protected screensavers
Applications should be restricted and removable data drives
should be disabled

Systems Development and Maintenance Critical Record Management Processes

Systems are essential to banks so data input
validation is imperative
Encryption of financial information
If new systems, test data should also be protected

Business Continuity Planning - Protection of

Personal Data/Privacy
In case of loss of data or software corruption, losing
a day of trading is unaffordable
Effective continuity plan is required for normal
operation

Compliance - Periodic compliance reviews

Monitor and review of best practices and controls
Highly sensitive information so compliance with
controls is required

ACHIEVING BS7799 ACCREDITATION BS7799 - PART TWO

ISM
S

Monitor and control security

Minimize residual business risk
Security fulfills corporate, customer and
legal requirements
Six out of 16 processes are of utmost
importance to the bank

Risk assessment for

scope of ISMS
Information security
policy
This will comprise of
information assets of
significant value
Issued to staff with
appropriate training as

Determine threats and

vulnerabilities of identified
assets
Risks should be identified
where the cost of
preventative action is
worthwhile compared to
cost of recovery

Manage Identified
Risks
To minimize potential
damage of assets, manage
technology and people
Manage security issues
such as security locks and
CCTV systems

ISMS IMPLEMENTATION

Business
continuity
planning
Identify objectives,
policies and critical
success factors
In bank, existence
of remote
journaling and
mirroring systems
in event of disaster
Example: Barclays
payments
received 5 days
late

Selecting
objectives and
controls to be
implemented
Choose most
appropriate
controls to
manage identified
risks
In bank, consider
other criterias
apart from that
mentioned in
BS7799
Controls such as
cost effective, fit
for purpose and
consistent with
associated
business risk were

Preparing
statement of
applicability

COBRA
compliance
product

In bank, adapt or
disregard controls
listed in favour of
their own controls

Its a knowledge
based software for
risk assessment
qand management
Customized set of
questions for bank
to provide a
customized
solution

ALWAYS REMEMBER : WHAT SUITS ONE CUSTOMER MIGHT NOT SUIT

THE NEXT

WHERE FRAMEWORKS STAND ?

IT decision
structures and
processes

Focus on
strategy

Business and
IT strategy
integrated
IBM

Business and
IT strategy
alignment

BCG
Gartner

Primary
objective
IT process
performance controls
and metrics

Focus on
operations
IT services
management

Giga Group
Structure of
global IT
organizations

KPMG
COBIT
ISO
17799

ITIL
ITIL

IT focus

Implementation
of IT governance
using CobiT, ITIL
Company
individual
De facto
standard

IT security
management

Content

Business/IT alignment

WHYADOPTITIL?
ITILITInfrastructureLibrary, Systematic approach to high quality IT service delivery
ItalignswithITbusinessgoalsandserviceobjectives
Itisprocessdriven,scaleableandflexible
ReduceITcostyetprovidingoptimalservices
Increaserelationshipandcommunicationamongdifferentdepartments,employees,customersandusers
SuccessfullyadaptedbyHP,IBM,PG,ShellOil,Boeing,Microsoft,ProctorandGamble,StateofCA

WHY ITIL ?

ITIL TERMINOLOGY

Office of State Finance

ITIL
ITIL v3
v3 Library
Library
The first three are primarily
concerned with bringing new or
improved services to the service
catalog.

Service
Strategy

Service
Design

Service
Transition

Operation and CSI are

concerned with service
delivery and
optimization of current
services.

Service
Operation

Continual
Service
Improvement

CASE STUDY: ITIL IMPLEMENTATION

COSTS AND SAVINGS [SOURCE:GARTNER]
35%
30%
25%
20%
15%
10%
5%

Tools (software and hardware)

Consultants and Trainers
Internal People Costs

0%

The case focuses on a European IS organization. It has more than 300 IS staff, started its two-year program in 2001 and has spent around
2.6 million euros on it.
Results included a savings of nearly 3.5 million euros a year (approximately 7 percent of IS operating costs) through the identification of
unused or underutilized resources like software licenses. This represented about 90 percent of the tangible savings formally identified to
date.
The IS organization is now billing around 1 million euros (approximately 2 percent of total billings) for services that were being delivered but
were not being charged for.
The IS organization's customer satisfaction rating went up from 6.8 to 7.6 out of 10 .

REFERENCES
IT Governance using COBIT implemented in a High Public Educational Institution A Case

Study, JORGE RIBEIRO, RUI GOMES, http://www.ipvc.pt

http://www.gse.org/Search/tabid/139/Default.aspx?Search=IT+governance
http://www.kent.edu/gsearch/ITIL
https://www.gartner.com/doc/2514016/itil-process-improvement-key-initiative

THANK YOU