Isaca COBIT-2019 - COBIT 2019 Foundation

The management objective that would be given higher priority in an enterprise’s governance system when the enterprise is very risk-averse is managed portfolio. This objective relates to ensuring that IT-enabled investments are aligned with the enterprise’s risk appetite and tolerance levels, and that they deliver optimal value and benefits. This objective also involves managing the portfolio of IT-enabled investments throughout their life cycle, from initiation to retirement. The objective is based on the COBIT 2019 Design Guide3, page 71. References: 3: COBIT 2019 Design Guide | Digital | English

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.

According to the COBIT 2019 Framework: Introduction and Methodology, one of the imperative factors to the successful implementation of IT governance is that IT governance is sponsored by executives. Executive sponsorship ensures that IT governance has sufficient authority, resources and support from the top management of the organization. Executive sponsorship also demonstrates commitment and leadership for IT governance, and fosters a culture of accountability and collaboration among stakeholders.3, p. 33-34 References: 3: COBIT 2019 Framework: Introduction and Methodology

The primary purpose of reexamining the IT strategic plan after IT governance has been operating for three years and is satisfactorily achieving desired outcomes is to assess improvement opportunities. The IT strategic plan is a document that defines the vision, mission, goals, objectives, strategies, and tactics for IT governance and management, as well as the alignment with the enterprise’s business strategy. By reexamining the plan periodically, the enterprise can identify any changes in the internal or external environment that may affect IT governance, as well as any areas for enhancement or optimization. The purpose is based on the COBIT 2019 Implementation Guide3, page 26. References: 3: COBIT 2019 Implementation Guide | Digital | English

The oversight of technology and innovation processes by the board is critical to ensuring I&T-related decisions are aligned with the enterprise’s strategies and objectives. The board is the highest governing body of the enterprise that provides direction, oversight, and accountability for the enterprise’s performance. Technology and innovation processes are the activities that enable the enterprise to leverage information and technology to create value, achieve strategic goals, and respond to changing business needs. The oversight of technology and innovation processes by the board ensures that I&T-related decisions are consistent with the enterprise’s vision, mission, values, policies, and risk appetite.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

A well-developed business case is essential to help ensure that a project’s benefits are identified and continually monitored. A business case is a document that provides the rationale and evidence for initiating, continuing, or terminating a project or program. A business case typically consists of several elements, such as problem statement, objectives, scope, benefits, costs, risks, assumptions, etc. A well-developed business case helps to ensure that a project’s benefits are identified and continually monitored by defining the expected outcomes or value that will be delivered by the project, as well as the metrics and indicators that will be used to measure and track them.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

According to the COBIT 2019 Design Guide, a service manager is responsible for managing the development, implementation, evaluation and ongoing maintenance of new and existing products and services. A service manager ensures that the products and services meet the needs and expectations of the customers and stakeholders, and that they are aligned with the enterprise strategy and objectives. A service manager also monitors and reports on the performance and quality of the products and services, and initiates improvement actions when necessary.1, p. 64 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The EGIT business case outline and details are documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT business case outline and details provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The responsibility for developing an EGIT business case outline and details resides with the CIO and program steering committee. The CIO is the senior executive responsible for leading and managing the information and technology function in an enterprise. The CIO has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the EGIT business case outline and details to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program. The program steering committee is a group of senior stakeholders who provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. The program steering committee has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are consistent with the enterprise’s vision, mission, values, strategy goals,and objectives. The program steering committee also has a role in monitoring and controlling the execution of the EGIT implementation program plan against the EGIT business case outline and details34 References: 3: COBIT 2019 Implementation Guide: page 37-38 4: COBIT 2019 Implementation Guide: page 39-40

 The IT balanced scorecard (BSC) is a tool that helps to measure and communicate the achievement of IT goals in relation to enterprise goals, using four dimensions: financial, customer, internal, and learning and growth. The alignment goal titled “Enabling and supporting business processes by integrating applications and technology” is aligned to the internal dimension of the IT BSC, as it relates to the efficiency and effectiveness of IT processes that support business processes2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

Enterprise governance of information and technology (EGIT) is an integral part of corporate governance. Corporate governance is the system by which an enterprise is directed and controlled by its board, management, shareholders, and other stakeholders. Corporate governance aims to ensure that the enterprise achieves its goals and objectives, creates value for its stakeholders, complies with laws and regulations, operates ethically and responsibly, etc. EGIT is the subset of corporate governance that deals specifically with information and technology. EGIT aims to ensure that information and technology support the enterprise strategy and objectives, create value for the enterprise and its stakeholders, optimize risks and resources, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System