Instrumen dan Daftar Pertanyaan untuk COBIT 2019
EDM 01
Continually identify and engage with the enterprise's stakeholders, document an understanding of the requirements, and evaluate the current and future design of governance of enterprise I&T.
Inform leaders on I&T governance principles and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the governance of I&T in line with the agreed governance principles, decision-making models and authority levels. Define the information required for informed decision making.
Monitor the effectiveness and performance of the enterprise’s governance of I&T. Assess whether the governance system and implemented mechanisms (including structures, principles and processes) are operating effectively and provide appropriate oversight of I&T to enable value creation.
EDM 02
Review and ensure clarity of the enterprise and I&T strategies and current services. Define an appropriate investment mix based on cost, alignment with strategy, type of benefit for the programs in the portfolio, degree of risk, and financial measures such as cost and expected return on investment (ROI) over the full economic life cycle. Adjust the enterprise and I&T strategies where necessary.
Continually evaluate the portfolio of I&T-enabled investments, services and assets to determine the likelihood of achieving enterprise objectives and delivering value. Identify and evaluate any changes in direction to management that will optimize value creation.
Direct value management principles and practices to enable optimal value realization from I&T-enabled investments throughout their full economic life cycle.
Monitor key goals and metrics to determine whether the enterprise receives expected value and benefit from I&T-enabled investments and services. Identify significant issues and consider corrective actions.
|
Area |
Domain |
Objective ID |
Practice ID |
Practice Name |
Practice Description |
|
Governance |
Evaluate, Direct and Monitor |
EDM01 |
EDM01.01 |
Evaluate the governance system. |
Continually identify and engage with the
enterprise's stakeholders, document an understanding of the requirements, and
evaluate the current and future design of governance of enterprise I&T. |
|
|
|
|
EDM01.02 |
Direct the governance system. |
Inform leaders on I&T governance principles
and obtain their support, buy-in and commitment. Guide the structures,
processes and practices for the governance of I&T in line with the agreed
governance principles, decision-making models and authority levels. Define
the information required for informed decision making. |
|
|
|
|
EDM01.03 |
Monitor the governance system. |
Monitor the effectiveness and performance of
the enterprise’s governance of I&T. Assess whether the governance system
and implemented mechanisms (including structures, principles and processes)
are operating effectively and provide appropriate oversight of I&T to
enable value creation. |
|
Governance |
Evaluate, Direct and Monitor |
EDM02 |
EDM02.01 |
Establish the target investment mix. |
Review and ensure clarity of the enterprise and
I&T strategies and current services. Define an appropriate investment mix
based on cost, alignment with strategy, type of benefit for the programs in
the portfolio, degree of risk, and financial measures such as cost and
expected return on investment (ROI) over the full economic life cycle. Adjust
the enterprise and I&T strategies where necessary. |
|
|
|
|
EDM02.02 |
Evaluate value optimization. |
Continually evaluate the portfolio of
I&T-enabled investments, services and assets to determine the likelihood
of achieving enterprise objectives and delivering value. Identify and
evaluate any changes in direction to management that will optimize value
creation. |
|
|
|
|
EDM02.03 |
Direct value optimization. |
Direct value management principles and
practices to enable optimal value realization from I&T-enabled
investments throughout their full economic life cycle. |
|
|
|
|
EDM02.04 |
Monitor value optimization. |
Monitor key goals and metrics to determine
whether the enterprise receives expected value and benefit from
I&T-enabled investments and services. Identify significant issues and
consider corrective actions. |
|
Governance |
Evaluate, Direct and Monitor |
EDM03 |
EDM03.01 |
Evaluate risk management. |
Continually examine and evaluate the effect of
risk on the current and future use of I&T in the enterprise. Consider
whether the enterprise's risk appetite is appropriate and ensure that risk to
enterprise value related to the use of I&T is identified and managed. |
|
|
|
|
EDM03.02 |
Direct risk management. |
Direct the establishment of risk management
practices to provide reasonable assurance that I&T risk management
practices are appropriate and that actual I&T risk does not exceed the
board’s risk appetite. |
|
|
|
|
EDM03.03 |
Monitor risk management. |
Monitor the key goals and metrics of the risk
management processes. Determine how deviations or problems will be
identified, tracked and reported for remediation. |
|
Governance |
Evaluate, Direct and Monitor |
EDM04 |
EDM04.01 |
Evaluate resource management. |
Continually examine and evaluate the current
and future need for business and I&T resources (financial and human),
options for resourcing (including sourcing strategies), and allocation and
management principles to meet the needs of the enterprise in the optimal
manner. |
|
|
|
|
EDM04.02 |
Direct resource management. |
Ensure the adoption of resource management
principles to enable optimal use of business and I&T resources throughout
their full economic life cycle. |
|
|
|
|
EDM04.03 |
Monitor resource management. |
Monitor the key goals and metrics of the
resource management processes. Determine how deviations or problems will be
identified, tracked and reported for remediation. |
|
Governance |
Evaluate, Direct and Monitor |
EDM05 |
EDM05.01 |
Evaluate stakeholder engagement and reporting
requirements. |
Continually examine and evaluate current and
future requirements for stakeholder engagement and reporting (including
reporting mandated by regulatory requirements), and communication to other
stakeholders. Establish principles for engaging and communicating with
stakeholders. |
|
|
|
|
EDM05.02 |
Direct stakeholder engagement, communication
and reporting. |
Ensure the establishment of effective
stakeholder involvement, communication and reporting, including mechanisms
for ensuring the quality and completeness of information, overseeing
mandatory reporting, and creating a communication strategy for stakeholders. |
|
|
|
|
EDM05.03 |
Monitor stakeholder engagement. |
Monitor stakeholder engagement levels and the
effectiveness of stakeholder communication. Assess mechanisms for ensuring
accuracy, reliability and effectiveness, and ascertain whether the
requirements of different stakeholders in terms of reporting and
communication are met. |
|
Management |
Align, Plan and Organize |
APO01 |
APO01.01 |
Design the management system for enterprise
I&T. |
Design a management system tailored to the
needs of the enterprise. Management needs of the enterprise are defined
through the use of the goals cascade and by application of design factors.
Ensure the governance components are integrated and aligned with the
enterprise’s governance and management philosophy and operating style. |
|
|
|
|
APO01.02 |
Communicate management objectives, direction
and decisions made. |
Communicate awareness and promote understanding
of alignment and I&T objectives to stakeholders throughout the
enterprise. Communicate at regular intervals on important I&T-related
decisions and their impact for the organization. |
|
|
|
|
APO01.03 |
Implement management processes (to support the
achievement of governance and management objectives). |
Define target process capability levels and
implementation priority based on the management system design. |
|
|
|
|
APO01.04 |
Define and implement the organizational
structures. |
Put in place the required internal and extended
organizational structures (e.g., committees) per the management system
design, enabling effective and efficient decision making. Ensure that
required technology and information knowledge is included in the composition
of management structures. |
|
|
|
|
APO01.05 |
Establish roles and responsibilities. |
Define and communicate roles and
responsibilities for enterprise I&T, including authority levels,
responsibilities and accountability. |
|
|
|
|
APO01.06 |
Optimize the placement of the IT function. |
Position the IT capabilities in the overall
organizational structure to reflect the strategic importance and operational
dependency of IT within the enterprise. The reporting line of the CIO and
representation of IT within senior management should be commensurate with the
importance of I&T within the enterprise. |
|
|
|
|
APO01.07 |
Define information (data) and system ownership. |
Define and maintain responsibilities for
ownership of information (data) and information systems. Ensure that owners
classify information and systems and protect them in line with their
classification. |
|
|
|
|
APO01.08 |
Define target skills and competencies. |
Define the required skills and competencies to
achieve relevant management objectives. |
|
|
|
|
APO01.09 |
Define and communicate policies and procedures. |
Put in place procedures to maintain compliance
with and performance measurement of policies and other components of the
control framework. Enforce the consequences of noncompliance or inadequate
performance. Track trends and performance and consider these in the future
design and improvement of the control framework. |
|
|
|
|
APO01.10 |
Define and implement infrastructure, services
and applications to support the governance and management system. |
Define and implement infrastructure, services
and applications to support the governance and management system (e.g.,
architecture repositories, risk management system, project management tools,
cost-tracking tools and incident monitoring tools). |
|
|
|
|
APO01.11 |
Manage continual improvement of the I&T
management system. |
Continually improve processes and other
management system components to ensure that they can deliver against
governance and management objectives. Consider COBIT implementation guidance,
emerging standards, compliance requirements, automation opportunities and the
feedback of stakeholders. |
|
Management |
Align, Plan and Organize |
APO02 |
APO02.01 |
Understand enterprise context and direction. |
Understand the enterprise context (industry
drivers, relevant regulations, basis for competition), its current way of
working and its ambition level in terms of digitization. |
|
|
|
|
APO02.02 |
Assess current capabilities, performance and
digital maturity of the enterprise. |
Assess the performance of current I&T
services and develop an understanding of current business and I&T
capabilities (both internal and external). Assess current digital maturity of
the enterprise and its appetite for change. |
|
|
|
|
APO02.03 |
Define target digital capabilities. |
Based on the understanding of enterprise
context and direction, define the target I&T products and services and
required capabilities. Consider reference standards, best practices and
validated emerging technologies. |
|
|
|
|
APO02.04 |
Conduct a gap analysis. |
Identify gaps between current and target
environments and describe the high-level changes in the enterprise
architecture. |
|
|
|
|
APO02.05 |
Define the strategic plan and road map. |
Develop a holistic digital strategy, in
cooperation with relevant stakeholders, and detail a road map that defines
the incremental steps required to achieve the goals and objectives. Ensure
focus on the transformation journey through the appointment of a person who
helps spearhead the digital transformation and drives alignment between business
and I&T. |
|
|
|
|
APO02.06 |
Communicate the I&T strategy and direction. |
Create awareness and understanding of the
business and I&T objectives and direction, as captured in the I&T
strategy, through communication to appropriate stakeholders and users throughout
the enterprise. |
|
Management |
Align, Plan and Organize |
APO03 |
APO03.01 |
Develop the enterprise architecture vision. |
The architecture vision provides a first-cut,
high-level description of the baseline and target architectures, covering the
business, information, data, application and technology domains. The
architecture vision provides the sponsor with a key tool to sell the benefits
of the proposed capabilities to stakeholders within the enterprise. The
architecture vision describes how the new capabilities (in line with I&T
strategy and objectives) will meet enterprise goals and strategic objectives
and address stakeholder concerns when implemented. |
|
|
|
|
APO03.02 |
Define reference architecture. |
The reference architecture describes the
current and target architectures for the business, information, data,
application and technology domains. |
|
|
|
|
APO03.03 |
Select opportunities and solutions. |
Rationalize the gaps between baseline and
target architectures, accounting for both business and technical
perspectives, and logically group them into project work packages. Integrate
the project with any related I&T-enabled investment programs to ensure
that the architectural initiatives are aligned with and enable these
initiatives as part of overall enterprise change. Make this a collaborative
effort with key enterprise stakeholders from business and IT to assess the
enterprise's transformation readiness, and identify opportunities, solutions
and all implementation constraints. |
|
|
|
|
APO03.04 |
Define architecture implementation. |
Create a viable implementation and migration
plan in alignment with the program and project portfolios. Ensure the plan is
closely coordinated to deliver value and that the required resources are
available to complete the necessary work. |
|
|
|
|
APO03.05 |
Provide enterprise architecture services. |
Provide enterprise architecture services within
the enterprise that include guidance to and monitoring of implementation
projects, formalizing ways of working through architecture contracts, and
measuring and communicating architecture's value and compliance monitoring. |
|
Management |
Align, Plan and Organize |
APO04 |
APO04.01 |
Create an environment conducive to innovation. |
Create an environment that is conducive to
innovation, considering methods such as culture, reward, collaboration,
technology forums, and mechanisms to promote and capture employee ideas. |
|
|
|
|
APO04.02 |
Maintain an understanding of the enterprise
environment. |
Work with relevant stakeholders to understand
their challenges. Maintain an adequate understanding of enterprise strategy,
competitive environment and other constraints, so that opportunities enabled
by new technologies can be identified. |
|
|
|
|
APO04.03 |
Monitor and scan the technology environment. |
Set up a technology watch process to perform
systematic monitoring and scanning of the enterprise's external environment
to identify emerging technologies that have the potential to create value
(e.g., by realizing the enterprise strategy, optimizing costs, avoiding
obsolescence, and better enabling enterprise and I&T processes). Monitor
the marketplace, competitive landscape, industry sectors, and legal and
regulatory trends to be able to analyze emerging technologies or innovation
ideas in the enterprise context. |
|
|
|
|
APO04.04 |
Assess the potential of emerging technologies
and innovative ideas. |
Analyze identified emerging technologies and/or
other I&T innovative suggestions to understand their business potential.
Work with stakeholders to validate assumptions on the potential of new technologies
and innovation. |
|
|
|
|
APO04.05 |
Recommend appropriate further initiatives. |
Evaluate and monitor the results of
proof-of-concept initiatives and, if favorable, generate recommendations for
further initiatives. Gain stakeholder support. |
|
|
|
|
APO04.06 |
Monitor the implementation and use of
innovation. |
Monitor the implementation and use of emerging
technologies and innovations during adoption, integration and for the full
economic life cycle to ensure that the promised benefits are realized and to
identify lessons learned. |
|
Management |
Align, Plan and Organize |
APO05 |
APO05.01 |
Determine the availability and sources of
funds. |
Determine potential sources of funds, different
funding options and the implications of the funding source on the investment
return expectations. |
|
|
|
|
APO05.02 |
Evaluate and select programs to fund. |
Based on requirements for the overall
investment portfolio mix and the I&T strategic plan and road map,
evaluate and prioritize program business cases and decide on investment
proposals. Allocate funds and initiate programs. |
|
|
|
|
APO05.03 |
Monitor, optimize and report on investment
portfolio performance. |
On a regular basis, monitor and optimize the
performance of the investment portfolio and individual programs throughout
the entire investment life cycle. Ensure continuous follow-up on the
alignment of the portfolio with I&T strategy. |
|
|
|
|
APO05.04 |
Maintain portfolios. |
Maintain portfolios of investment programs and
projects, I&T products and services, and I&T assets. |
|
|
|
|
APO05.05 |
Manage benefits achievement. |
Monitor the benefits of providing and
maintaining appropriate I&T products, services and capabilities, based on
the agreed and current business case. |
|
Management |
Align, Plan and Organize |
APO06 |
APO06.01 |
Manage finance and accounting. |
Establish and maintain a method to manage and
account for all I&T-related costs, investments and depreciation as an
integral part of enterprise financial systems and accounts. Report using the
enterprise’s financial measurement systems. |
|
|
|
|
APO06.02 |
Prioritize resource allocation. |
Implement a decision-making process to
prioritize the allocation of resources and establish rules for discretionary
investments by individual business units. Include the potential use of
external service providers and consider the buy, develop and rent options. |
|
|
|
|
APO06.03 |
Create and maintain budgets. |
Prepare a budget reflecting investment
priorities based on the portfolio of I&T-enabled programs and I&T
services. |
|
|
|
|
APO06.04 |
Model and allocate costs. |
Establish and use an I&T costing model
based, for example, on the service definition. This approach ensures that
allocation of costs for services is identifiable, measurable and predictable,
and encourages the responsible use of resources, including those provided by
service providers. Regularly review and benchmark the cost/chargeback model
to maintain its relevance and appropriateness for evolving business and IT
activities. |
|
|
|
|
APO06.05 |
Manage costs. |
Implement a cost management process that
compares actual costs against budget. Costs should be monitored and reported.
Deviations from budget should be identified in a timely manner and their
impact on enterprise processes and services assessed. |
|
Management |
Align, Plan and Organize |
APO07 |
APO07.01 |
Acquire and maintain adequate and appropriate
staffing. |
Evaluate internal and external staffing
requirements on a regular basis or upon major changes to the enterprise or
operational or IT environments to ensure that the enterprise has sufficient
human resources to support enterprise goals and objectives. |
|
|
|
|
APO07.02 |
Identify key IT personnel. |
Identify key IT personnel. Use knowledge
capture (documentation), knowledge sharing, succession planning and staff
backup to minimize reliance on a single individual performing a critical job
function. |
|
|
|
|
APO07.03 |
Maintain the skills and competencies of
personnel. |
Define and manage the skills and competencies
required of personnel. Regularly verify that personnel have the competencies
to fulfill their roles on the basis of their education, training and/or
experience. Verify that these competencies are being maintained, using
qualification and certification programs where appropriate. Provide employees
with ongoing learning and opportunities to maintain their knowledge, skills
and competencies at a level required to achieve enterprise goals. |
|
|
|
|
APO07.04 |
Assess and recognize/reward employee job
performance. |
Conduct timely, regular performance evaluations
against individual objectives derived from enterprise goals, established
standards, specific job responsibilities, and the skills and competency
framework. Implement a remuneration/recognition process that rewards
successful attainment of performance goals. |
|
|
|
|
APO07.05 |
Plan and track the usage of IT and business
human resources. |
Understand and track the current and future
demand for business and IT human resources with responsibilities for
enterprise I&T. Identify shortfalls and provide input into sourcing
plans, enterprise and IT recruitment processes, and business and IT
recruitment processes. |
|
|
|
|
APO07.06 |
Manage contract staff. |
Ensure that consultants and contract personnel
who support the enterprise with I&T skills know and comply with the
organization's policies and meet agreed contractual requirements. |
|
Management |
Align, Plan and Organize |
APO08 |
APO08.01 |
Understand business expectations. |
Understand current business issues, objectives
and expectations for I&T. Ensure that requirements are understood,
managed and communicated, and their status agreed and approved. |
|
|
|
|
APO08.02 |
Align I&T strategy with business
expectations and identify opportunities for IT to enhance the business. |
Align I&T strategies with current business
objectives and expectations to enable IT to be a value-add partner for the
business and a governance component for enhanced enterprise performance. |
|
|
|
|
APO08.03 |
Manage the business relationship. |
Manage the relationship between the IT service
organization and its business partners. Ensure that relationship roles and
responsibilities are defined and assigned, and communication is facilitated. |
|
|
|
|
APO08.04 |
Coordinate and communicate. |
Work with all relevant stakeholders and
coordinate the end-to-end delivery of I&T services and solutions provided
to the business. |
|
|
|
|
APO08.05 |
Provide input to the continual improvement of
services. |
Continually improve and evolve I&T-enabled
services and service delivery to the enterprise to align with changing
enterprise objectives and technology requirements. |
|
Management |
Align, Plan and Organize |
APO09 |
APO09.01 |
Identify I&T services. |
Analyze business requirements and the degree to
which I&T-enabled services and service levels support business processes.
Discuss and agree with the business on potential services and service levels.
Compare potential service levels against the current service portfolio;
identify new or changed services or service level options. |
|
|
|
|
APO09.02 |
Catalog I&T-enabled services. |
Define and maintain one or more service
catalogues for relevant target groups. Publish and maintain live
I&T-enabled services in the service catalogs. |
|
|
|
|
APO09.03 |
Define and prepare service agreements. |
Define and prepare service agreements based on
options in the service catalogues. Include internal operational agreements. |
|
|
|
|
APO09.04 |
Monitor and report service levels. |
Monitor service levels, report on achievements
and identify trends. Provide the appropriate management information to aid
performance management. |
|
|
|
|
APO09.05 |
Review service agreements and contracts. |
Conduct periodic reviews of the service
agreements and revise when needed. |
|
Management |
Align, Plan and Organize |
APO10 |
APO10.01 |
Identify and evaluate vendor relationships and
contracts. |
Continuously search for and identify vendors
and categorize them into type, significance and criticality. Establish
criteria to evaluate vendors and contracts. Review the overall portfolio of
existing and alternative vendors and contracts. |
|
|
|
|
APO10.02 |
Select vendors. |
Select suppliers according to a fair and formal
practice to ensure a viable best fit based on specified requirements.
Requirements should be optimized with input from potential suppliers. |
|
|
|
|
APO10.03 |
Manage vendor relationships and contracts. |
Formalize and manage the supplier relationship
for each supplier. Manage, maintain and monitor contracts and service
delivery. Ensure that new or changed contracts conform to enterprise
standards and legal and regulatory requirements. Deal with contractual
disputes. |
|
|
|
|
APO10.04 |
Manage vendor risk. |
Identify and manage risk relating to vendors'
ability to continually provide secure, efficient and effective service
delivery. This also includes the subcontractors or upstream vendors that are
relevant in the service delivery of the direct vendor. |
|
|
|
|
APO10.05 |
Monitor vendor performance and compliance. |
Periodically review overall vendor performance,
compliance to contract requirements and value for money. Address identified
issues. |
|
Management |
Align, Plan and Organize |
APO11 |
APO11.01 |
Establish a quality management system (QMS). |
Establish and maintain a quality management
system (QMS) that provides a standard, formal and continuous approach to
quality management of information. The QMS should enable technology and
business processes to align with business requirements and enterprise quality
management. |
|
|
|
|
APO11.02 |
Focus quality management on customers. |
Focus quality management on customers by
determining their requirements and ensuring integration in quality management
practices. |
|
|
|
|
APO11.03 |
Manage quality standards, practices and
procedures and integrate quality management into key processes and solutions. |
Identify and maintain standards, procedures and
practices for key processes to guide the enterprise in meeting the intent of
the agreed quality management standards (QMS). This activity should align
with I&T control framework requirements. Consider certification for key
processes, organizational units, products or services. |
|
|
|
|
APO11.04 |
Perform quality monitoring, control and
reviews. |
Monitor the quality of processes and services
on an ongoing basis, in line with quality management standards. Define, plan
and implement measurements to monitor customer satisfaction with quality as
well as the value provided by the quality management system (QMS). The
information gathered should be used by the process owner to improve quality. |
|
|
|
|
APO11.05 |
Maintain continuous improvement. |
Maintain and regularly communicate an overall
quality plan that promotes continuous improvement. The plan should define the
need for, and benefits of, continuous improvement. Collect and analyze data
about the quality management system (QMS) and improve its effectiveness.
Correct nonconformities to prevent recurrence. |
|
Management |
Align, Plan and Organize |
APO12 |
APO12.01 |
Collect data. |
Identify and collect relevant data to enable
effective I&T-related risk identification, analysis and reporting. |
|
|
|
|
APO12.02 |
Analyze risk. |
Develop a substantiated view on actual I&T
risk, in support of risk decisions. |
|
|
|
|
APO12.03 |
Maintain a risk profile. |
Maintain an inventory of known risk and risk
attributes, including expected frequency, potential impact and responses.
Document related resources, capabilities and current control activities
related to risk items. |
|
|
|
|
APO12.04 |
Articulate risk. |
Communicate information on the current state of
I&T-related exposures and opportunities in a timely manner to all
required stakeholders for appropriate response. |
|
|
|
|
APO12.05 |
Define a risk management action portfolio. |
Manage opportunities to reduce risk to an
acceptable level as a portfolio. |
|
|
|
|
APO12.06 |
Respond to risk. |
Respond in a timely manner to materialized risk
events with effective measures to limit the magnitude of loss. |
|
Management |
Align, Plan and Organize |
APO13 |
APO13.01 |
Establish and maintain an information security
management system (ISMS). |
Establish and maintain an information security
management system (ISMS) that provides a standard, formal and continuous
approach to security and privacy management for information. Ensure that the
system supports secure technology and business processes that are aligned
with business requirements, enterprise security and enterprise privacy
management. |
|
|
|
|
APO13.02 |
Define and manage an information security risk
treatment plan. |
Maintain an information security plan that
describes how information security risk is to be managed and aligned with
enterprise strategy and architecture. Ensure that recommendations for
implementing security improvements are based on approved business cases,
implemented as an integral part of services and solutions development, and
operated as an integral part of business operation. |
|
|
|
|
APO13.03 |
Monitor and review the information security
management system (ISMS). |
Maintain and regularly communicate the need
for, and benefits of, continuous improvement in information security. Collect
and analyze data about the information security management system (ISMS), and
improve its effectiveness. Correct nonconformities to prevent recurrence. |
|
Management |
Align, Plan and Organize |
APO14 |
APO14.01 |
Define and communicate the organization's data
management strategy and roles and responsibilities. |
Define how to manage and improve the
organization's data assets, in line with enterprise strategy and objectives.
Communicate the data management strategy to all stakeholders. Assign roles
and responsibilities to ensure that corporate data are managed as critical
assets and the data management strategy is implemented and maintained in an
effective and sustainable manner. |
|
|
|
|
APO14.02 |
Define and maintain a consistent business
glossary. |
Create, approve, update and promote consistent
business terms and definitions to foster shared data usage across the
organization. |
|
|
|
|
APO14.03 |
Establish the processes and infrastructure for
metadata management. |
Establish the processes and infrastructure for
specifying and extending metadata about the organization's data assets,
fostering and supporting data sharing, ensuring compliant use of data,
improving responsiveness to business changes and reducing data-related risk. |
|
|
|
|
APO14.04 |
Define a data quality strategy. |
Define an integrated, organizationwide strategy
to achieve and maintain the level of data quality (such as complexity,
integrity, accuracy, completeness, validity, traceability and timeliness)
required to support the business goals and objectives. |
|
|
|
|
APO14.05 |
Establish data profiling methodologies,
processes and tools. |
Implement standardized data profiling
methodologies, processes, practices, tools and templates that can be applied
across multiple data repositories and data stores. |
|
|
|
|
APO14.06 |
Ensure a data quality assessment approach. |
Provide a systematic approach to measure and
evaluate data quality according to processes and techniques, and against data
quality rules. |
|
|
|
|
APO14.07 |
Define the data cleansing approach. |
Define the mechanisms, rules, processes, and
methods to validate and correct data according to predefined business rules. |
|
|
|
|
APO14.08 |
Manage the life cycle of data assets. |
Ensure that the organization understands, maps,
inventories and controls its data flows through business processes over the
data life cycle, from creation or acquisition to retirement. |
|
|
|
|
APO14.09 |
Support data archiving and retention. |
Ensure that data maintenance satisfies
organizational and regulatory requirements for availability of historical
data. Ensure that legal and regulatory requirements for data archiving and
retention are met. |
|
|
|
|
APO14.10 |
Manage data backup and restore arrangements. |
Manage availability of critical data to ensure
operational continuity. |
|
Management |
Build, Acquire and Implement |
BAI01 |
BAI01.01 |
Maintain a standard approach for program
management. |
Maintain a standard approach for program
management that enables governance and management review, decision-making and
delivery-management activities. These activities should focus consistently on
business value and goals (i.e., requirements, risk, costs, schedule and
quality targets). |
|
|
|
|
BAI01.02 |
Initiate a program. |
Initiate a program to confirm expected benefits
and obtain authorization to proceed. This includes agreeing on program
sponsorship, confirming the program mandate through approval of the
conceptual business case, appointing program board or committee members, producing
the program brief, reviewing and updating the business case, developing a
benefits realization plan, and obtaining approval from sponsors to proceed. |
|
|
|
|
BAI01.03 |
Manage stakeholder engagement. |
Manage stakeholder engagement to ensure an
active exchange of accurate, consistent and timely information for all
relevant stakeholders. This includes planning, identifying and engaging
stakeholders and managing their expectations. |
|
|
|
|
BAI01.04 |
Develop and maintain the program plan. |
Formulate a program to lay the initial
groundwork. Position it for successful execution by formalizing the scope of
the work and identifying deliverables that will satisfy goals and deliver
value. Maintain and update the program plan and business case throughout the
full economic life cycle of the program, ensuring alignment with strategic
objectives and reflecting the current status and insights gained to date. |
|
|
|
|
BAI01.05 |
Launch and execute the program. |
Launch and execute the program to acquire and
direct the resources needed to accomplish the goals and benefits of the
program as defined in the program plan. In accordance with stage-gate or
release review criteria, prepare for stage-gate, iteration or release reviews
to report progress and make the case for funding up to the following
stage-gate or release review. |
|
|
|
|
BAI01.06 |
Monitor, control and report on the program
outcomes. |
Monitor and control performance against plan
throughout the full economic life cycle of the investment, covering solution
delivery at the program level and value/outcome at the enterprise level.
Report performance to the program steering committee and the sponsors. |
|
|
|
|
BAI01.07 |
Manage program quality. |
Prepare and execute a quality management plan,
processes and practices that align with quality management standards (QMS).
Describe the approach to program quality and implementation. The plan should
be formally reviewed and agreed on by all parties concerned and incorporated
into the integrated program plan. |
|
|
|
|
BAI01.08 |
Manage program risk. |
Eliminate or minimize specific risk associated
with programs through a systematic process of planning, identifying, analyzing,
responding to, monitoring and controlling the areas or events with the
potential to cause unwanted change. Define and record any risk faced by
program management. |
|
|
|
|
BAI01.09 |
Close a program. |
Remove the program from the active investment
portfolio when there is agreement that the desired value has been achieved or
when it is clear it will not be achieved within the value criteria set for
the program. |
|
Management |
Build, Acquire and Implement |
BAI02 |
BAI02.01 |
Define and maintain business functional and
technical requirements. |
Based on the business case, identify,
prioritize, specify and agree on business information, functional, technical
and control requirements covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the proposed I&T-enabled
business solution. |
|
|
|
|
BAI02.02 |
Perform a feasibility study and formulate
alternative solutions. |
Perform a feasibility study of potential
alternative solutions, assess their viability and select the preferred
option. If appropriate, implement the selected option as a pilot to determine
possible improvements. |
|
|
|
|
BAI02.03 |
Manage requirements risk. |
Identify, document, prioritize and mitigate
functional, technical and information processing-related risk associated with
the enterprise requirements, assumptions and proposed solution. |
|
|
|
|
BAI02.04 |
Obtain approval of requirements and solutions. |
Coordinate feedback from affected stakeholders.
At predetermined key stages, obtain approval and sign-off from the business
sponsor or product owner regarding functional and technical requirements,
feasibility studies, risk analyses and recommended solutions. |
|
Management |
Build, Acquire and Implement |
BAI03 |
BAI03.01 |
Design high-level solutions. |
Develop and document high-level designs for the
solution in terms of technology, business processes and workflows. Use agreed
and appropriate phased or rapid Agile development techniques. Ensure
alignment with the I&T strategy and enterprise architecture. Reassess and
update the designs when significant issues occur during detailed design or
building phases, or as the solution evolves. Apply a user-centric approach;
ensure that stakeholders actively participate in the design and approve each
version. |
|
|
|
|
BAI03.02 |
Design detailed solution components. |
Develop, document and elaborate detailed
designs progressively. Use agreed and appropriate phased or rapid Agile
development techniques, addressing all components (business processes and
related automated and manual controls, supporting I&T applications,
infrastructure services and technology products, and partners/suppliers).
Ensure that the detailed design includes internal and external service level
agreements (SLAs) and operational level agreements (OLAs). |
|
|
|
|
BAI03.03 |
Develop solution components. |
Develop solution components progressively in a
separate environment, in accordance with detailed designs following standards
and requirements for development and documentation, quality assurance (QA),
and approval. Ensure that all control requirements in the business processes,
supporting I&T applications and infrastructure services, services and
technology products, and partner/vendor services are addressed. |
|
|
|
|
BAI03.04 |
Procure solution components. |
Procure solution components, based on the
acquisition plan, in accordance with requirements and detailed designs,
architecture principles and standards, and the enterprise's overall
procurement and contract procedures, QA requirements, and approval standards.
Ensure that all legal and contractual requirements are identified and addressed
by the vendor. |
|
|
|
|
BAI03.05 |
Build solutions. |
Install and configure solutions and integrate
with business process activities. During configuration and integration of
hardware and infrastructure software, implement control, security, privacy
and auditability measures to protect resources and ensure availability and
data integrity. Update the product or services catalogue to reflect the new
solutions. |
|
|
|
|
BAI03.06 |
Perform quality assurance (QA). |
Develop, resource and execute a QA plan aligned
with the QMS to obtain the quality specified in the requirements definition
and in the enterprise’s quality policies and procedures. |
|
|
|
|
BAI03.07 |
Prepare for solution testing. |
Establish a test plan and required environments
to test the individual and integrated solution components. Include the
business processes and supporting services, applications and infrastructure. |
|
|
|
|
BAI03.08 |
Execute solution testing. |
During development, execute testing continually
(including control testing), in accordance with the defined test plan and
development practices in the appropriate environment. Engage business process
owners and end users in the test team. Identify, log and prioritize errors
and issues identified during testing. |
|
|
|
|
BAI03.09 |
Manage changes to requirements. |
Track the status of individual requirements
(including all rejected requirements) throughout the project life cycle.
Manage the approval of changes to requirements. |
|
|
|
|
BAI03.10 |
Maintain solutions. |
Develop and execute a plan for the maintenance
of solution and infrastructure components. Include periodic reviews against
business needs and operational requirements. |
|
|
|
|
BAI03.11 |
Define IT products and services and maintain
the service portfolio. |
Define and agree on new or changed IT products
or services and service level options. Document new or changed product and
service definitions and service level options to be updated in the products
and services portfolio. |
|
|
|
|
BAI03.12 |
Design solutions based on the defined
development methodology. |
Design, develop and implement solutions with
the appropriate development methodology (i.e., waterfall, Agile or bimodal
I&T), in accordance with the overall strategy and requirements. |
|
Management |
Build, Acquire and Implement |
BAI04 |
BAI04.01 |
Assess current availability, performance and
capacity and create a baseline. |
Assess availability, performance and capacity
of services and resources to ensure that cost-justifiable capacity and
performance are available to support business needs and deliver against
service level agreements (SLAs). Create availability, performance and
capacity baselines for future comparison. |
|
|
|
|
BAI04.02 |
Assess business impact. |
Identify important services to the enterprise.
Map services and resources to business processes and identify business
dependencies. Ensure that the impact of unavailable resources is fully agreed
on and accepted by the customer. For vital business functions, ensure that
availability requirements can be satisfied per service level agreement (SLA). |
|
|
|
|
BAI04.03 |
Plan for new or changed service requirements. |
Plan and prioritize availability, performance
and capacity implications of changing business needs and service
requirements. |
|
|
|
|
BAI04.04 |
Monitor and review availability and capacity. |
Monitor, measure, analyze, report and review
availability, performance and capacity. Identify deviations from established
baselines. Review trend analysis reports identifying any significant issues
and variances. Initiate actions where necessary and ensure that all
outstanding issues are addressed. |
|
|
|
|
BAI04.05 |
Investigate and address availability,
performance and capacity issues. |
Address deviations by investigating and
resolving identified availability, performance and capacity issues. |
|
Management |
Build, Acquire and Implement |
BAI05 |
BAI05.01 |
Establish the desire to change. |
Understand the scope and impact of the desired
change. Assess stakeholder readiness and willingness to change. Identify
actions that will motivate stakeholder acceptance and participation to make
the change work successfully. |
|
|
|
|
BAI05.02 |
Form an effective implementation team. |
Establish an effective implementation team by
assembling appropriate members, creating trust, and establishing common goals
and effectiveness measures. |
|
|
|
|
BAI05.03 |
Communicate desired vision. |
Communicate the desired vision for the change
in the language of those affected by it. The communication should be made by
senior management and include the rationale for, and benefits of, the change;
the impacts of not making the change; and the vision, the road map and the
involvement required of the various stakeholders. |
|
|
|
|
BAI05.04 |
Empower role players and identify short-term
wins. |
Empower those with implementation roles by
assigning accountability. Provide training and align organizational
structures and HR processes. Identify and communicate short-term wins that
are important from a change-enablement perspective. |
|
|
|
|
BAI05.05 |
Enable operation and use. |
Plan and implement all technical, operational
and usage aspects so all those who are involved in the future state
environment can exercise their responsibility. |
|
|
|
|
BAI05.06 |
Embed new approaches. |
Embed new approaches by tracking implemented
changes, assessing the effectiveness of the operation and use plan, and
sustaining ongoing awareness through regular communication. Take corrective
measures as appropriate (which may include enforcing compliance). |
|
|
|
|
BAI05.07 |
Sustain changes. |
Sustain changes through effective training of
new staff, ongoing communication campaigns, continued commitment of top
management, monitoring of adoption and sharing of lessons learned across the
enterprise. |
|
Management |
Build, Acquire and Implement |
BAI06 |
BAI06.01 |
Evaluate, prioritize and authorize change
requests. |
Evaluate all requests for change to determine
the impact on business processes and I&T services, and to assess whether
change will adversely affect the operational environment and introduce
unacceptable risk. Ensure that changes are logged, prioritized, categorized,
assessed, authorized, planned and scheduled. |
|
|
|
|
BAI06.02 |
Manage emergency changes. |
Carefully manage emergency changes to minimize
further incidents. Ensure the emergency change is controlled and takes place
securely. Verify that emergency changes are appropriately assessed and
authorized after the change. |
|
|
|
|
BAI06.03 |
Track and report change status. |
Maintain a tracking and reporting system to
document rejected changes and communicate the status of approved, in-process
and complete changes. Make certain that approved changes are implemented as
planned. |
|
|
|
|
BAI06.04 |
Close and document the changes. |
Whenever changes are implemented, update the
solution, user documentation and procedures affected by the change. |
|
Management |
Build, Acquire and Implement |
BAI07 |
BAI07.01 |
Establish an implementation plan. |
Establish an implementation plan that covers
system and data conversion, acceptance testing criteria, communication,
training, release preparation, promotion to production, early production
support, a fallback/back-up plan, and a post-implementation review. Obtain
approval from relevant parties. |
|
|
|
|
BAI07.02 |
Plan business process, system and data
conversion. |
Prepare for business process, I&T service
data and infrastructure migration as part of the enterprise’s development
methods. Include audit trails and a recovery plan should the migration fail. |
|
|
|
|
BAI07.03 |
Plan acceptance tests. |
Establish a test plan based on enterprisewide
standards that define roles, responsibilities, and entry and exit criteria.
Ensure that the plan is approved by relevant parties. |
|
|
|
|
BAI07.04 |
Establish a test environment. |
Define and establish a secure test environment
representative of the planned business process and IT operations environment
in terms of performance, capacity, security, internal controls, operational
practices, data quality, privacy requirements and workloads. |
|
|
|
|
BAI07.05 |
Perform acceptance tests. |
Test changes independently, in accordance with
the defined test plan, prior to migration to the live operational
environment. |
|
|
|
|
BAI07.06 |
Promote to production and manage releases. |
Promote the accepted solution to the business
and operations. Where appropriate, run the solution as a pilot implementation
or in parallel with the old solution for a defined period and compare
behavior and results. If significant problems occur, revert to the original
environment based on the fallback/back-up plan. Manage releases of solution
components. |
|
|
|
|
BAI07.07 |
Provide early production support. |
For an agreed period of time, provide early
support to users and I&T operations to resolve issues and help stabilize
the new solution. |
|
|
|
|
BAI07.08 |
Perform a post-implementation review. |
Conduct a post-implementation review to confirm
outcome and results, identify lessons learned, and develop an action plan.
Evaluate actual performance and outcomes of the new or changed service
against expected performance and outcomes anticipated by the user or
customer. |
|
Management |
Build, Acquire and Implement |
BAI08 |
BAI08.01 |
Identify and classify sources of information
for governance and management of I&T. |
Identify, validate and classify diverse sources
of internal and external information required to enable governance and
management of I&T, including strategy documents, incident reports and
configuration information that progresses from development to operations
before going live. |
|
|
|
|
BAI08.02 |
Organize and contextualize information into
knowledge. |
Organize information based on classification
criteria. Identify and create meaningful relationships among information
elements and enable use of information. Identify owners, and leverage and
implement enterprise-defined information levels of access to management
information and knowledge resources. |
|
|
|
|
BAI08.03 |
Use and share knowledge. |
Propagate available knowledge resources to
relevant stakeholders and communicate how these resources can be used to
address different needs (e.g., problem solving, learning, strategic planning
and decision making). |
|
|
|
|
BAI08.04 |
Evaluate and update or retire information. |
Measure the use and evaluate the currency and
relevance of information. Update information or retire obsolete information. |
|
Management |
Build, Acquire and Implement |
BAI09 |
BAI09.01 |
Identify and record current assets. |
Maintain an up-to-date, accurate record of all
I&T assets that are required to deliver services and that are owned or
controlled by the organization with an expectation of future benefit
(including resources with economic value, such as hardware or software).
Ensure alignment with configuration management and financial management. |
|
|
|
|
BAI09.02 |
Manage critical assets. |
Identify assets that are critical in providing
service capability. Maximize their reliability and availability to support
business needs. |
|
|
|
|
BAI09.03 |
Manage the asset life cycle. |
Manage assets from procurement to disposal.
Ensure that assets are utilized as effectively and efficiently as possible
and are accounted for and physically protected until appropriately retired. |
|
|
|
|
BAI09.04 |
Optimize asset value. |
Regularly review the overall asset base to
identify ways to optimize value in alignment with business needs. |
|
|
|
|
BAI09.05 |
Manage licenses. |
Manage software licenses to maintain the
optimal number of licenses and support business requirements. Ensure that the
number of licenses owned is sufficient to cover the installed software in
use. |
|
Management |
Build, Acquire and Implement |
BAI10 |
BAI10.01 |
Establish and maintain a configuration model. |
Establish and maintain a logical model of the
services, assets, infrastructure and recording of configuration items (CIs),
including the relationships among them. Include the CIs considered necessary
to manage services effectively and to provide a single, reliable description
of the assets in a service. |
|
|
|
|
BAI10.02 |
Establish and maintain a configuration
repository and baseline. |
Establish and maintain a configuration
management repository and create controlled configuration baselines. |
|
|
|
|
BAI10.03 |
Maintain and control configuration items. |
Maintain an up-to-date repository of
configuration items (CIs) by populating any configuration changes. |
|
|
|
|
BAI10.04 |
Produce status and configuration reports. |
Define and produce configuration reports on
status changes of configuration items. |
|
|
|
|
BAI10.05 |
Verify and review integrity of the
configuration repository. |
Periodically review the configuration
repository and verify completeness and correctness against the desired
target. |
|
Management |
Build, Acquire and Implement |
BAI11 |
BAI11.01 |
Maintain a standard approach for project
management. |
Maintain a standard approach for project
management that enables governance and management review, decision-making and
delivery-management activities. These activities should focus consistently on
business value and goals (i.e., requirements, risk, costs, schedule and
quality targets). |
|
|
|
|
BAI11.02 |
Start up and initiate a project. |
Define and document the nature and scope of the
project to confirm and develop a common understanding of project scope among
stakeholders. The definition should be formally approved by the project
sponsors. |
|
|
|
|
BAI11.03 |
Manage stakeholder engagement. |
Manage stakeholder engagement to ensure an
active exchange of accurate, consistent and timely information that reaches
all relevant stakeholders. This includes planning, identifying and engaging
stakeholders and managing their expectations. |
|
|
|
|
BAI11.04 |
Develop and maintain the project plan. |
Establish and maintain a formal, approved,
integrated project plan (covering business and IT resources) to guide project
execution and control throughout the life of the project. The scope of
projects should be clearly defined and tied to building or enhancing business
capability. |
|
|
|
|
BAI11.05 |
Manage project quality. |
Prepare and execute a quality management plan,
processes and practices that align with quality management standards (QMS).
Describe the approach to project quality and implementation. The plan should
be formally reviewed and agreed on by all parties concerned and incorporated
into the integrated project plans. |
|
|
|
|
BAI11.06 |
Manage project risk. |
Eliminate or minimize specific risk associated
with projects through a systematic process of planning, identifying,
analyzing, responding to, monitoring and controlling the areas or events with
potential to cause unwanted change. Define and record any risk faced by project
management. |
|
|
|
|
BAI11.07 |
Monitor and control projects. |
Measure project performance against key project
performance criteria such as schedule, quality, cost and risk. Identify any
deviations from expected targets. Assess the impact of deviations on the
project and overall program and report results to key stakeholders. |
|
|
|
|
BAI11.08 |
Manage project resources and work packages. |
Manage project work packages by placing formal
requirements on authorizing and accepting work packages and assigning and coordinating
appropriate business and IT resources. |
|
|
|
|
BAI11.09 |
Close a project or iteration. |
At the end of each project, release or
iteration, require the project stakeholders to ascertain whether the project,
release or iteration delivered the required results in terms of capabilities
and contributed as expected to program benefits. Identify and communicate any
outstanding activities required to achieve planned results of the project
and/or benefits of the program. Identify and document lessons learned for
future projects, releases, iterations and programs. |
|
Management |
Deliver, Service and Support |
DSS01 |
DSS01.01 |
Perform operational procedures. |
Maintain and perform operational procedures and
operational tasks reliably and consistently. |
|
|
|
|
DSS01.02 |
Manage outsourced I&T services. |
Manage the operation of outsourced I&T
services to maintain the protection of enterprise information and reliability
of service delivery. |
|
|
|
|
DSS01.03 |
Monitor I&T infrastructure. |
Monitor the I&T infrastructure and related
events. Store sufficient chronological information in operations logs to
reconstruct and review time sequences of operations and other activities
surrounding or supporting operations. |
|
|
|
|
DSS01.04 |
Manage the environment. |
Maintain measures for protection against
environmental factors. Install specialized equipment and devices to monitor
and control the environment. |
|
|
|
|
DSS01.05 |
Manage facilities. |
Manage facilities, including power and
communications equipment, in line with laws and regulations, technical and
business requirements, vendor specifications, and health and safety
guidelines. |
|
Management |
Deliver, Service and Support |
DSS02 |
DSS02.01 |
Define classification schemes for incidents and
service requests. |
Define classification schemes and models for
incidents and service requests. |
|
|
|
|
DSS02.02 |
Record, classify and prioritize requests and
incidents. |
Identify, record and classify service requests
and incidents and assign a priority according to business criticality and
service agreements. |
|
|
|
|
DSS02.03 |
Verify, approve and fulfill service requests. |
Select the appropriate request procedures and
verify that the service requests fulfill defined request criteria. Obtain
approval, if required, and fulfill the requests. |
|
|
|
|
DSS02.04 |
Investigate, diagnose and allocate incidents. |
Identify and record incident symptoms,
determine possible causes, and allocate for resolution. |
|
|
|
|
DSS02.05 |
Resolve and recover from incidents. |
Document, apply and test the identified
solutions or workarounds. Perform recovery actions to restore the
I&T-related service. |
|
|
|
|
DSS02.06 |
Close service requests and incidents. |
Verify satisfactory incident resolution and/or
fulfilment of requests, and close. |
|
|
|
|
DSS02.07 |
Track status and produce reports. |
Regularly track, analyze and report incidents
and fulfilment of requests. Examine trends to provide information for
continual improvement. |
|
Management |
Deliver, Service and Support |
DSS03 |
DSS03.01 |
Identify and classify problems. |
Define and implement criteria and procedures to
identify and report problems. Include problem classification, categorization
and prioritization. |
|
|
|
|
DSS03.02 |
Investigate and diagnose problems. |
Investigate and diagnose problems using
relevant subject matter experts to assess and analyze root causes. |
|
|
|
|
DSS03.03 |
Raise known errors. |
As soon as root causes of problems are
identified, create known-error records, document appropriate workarounds and
identify potential solutions. |
|
|
|
|
DSS03.04 |
Resolve and close problems. |
Identify and initiate sustainable solutions
addressing the root cause. Raise change requests via the established change
management process, if required, to resolve errors. Ensure that the personnel
affected are aware of the actions taken and the plans developed to prevent
future incidents from occurring. |
|
|
|
|
DSS03.05 |
Perform proactive problem management. |
Collect and analyze operational data
(especially incident and change records) to identify emerging trends that may
indicate problems. Log problem records to enable assessment. |
|
Management |
Deliver, Service and Support |
DSS04 |
DSS04.01 |
Define the business continuity policy,
objectives and scope. |
Define business continuity policy and scope,
aligned with enterprise and stakeholder objectives, to improve business
resilience. |
|
|
|
|
DSS04.02 |
Maintain business resilience. |
Evaluate business resilience options and choose
a cost-effective and viable strategy that will ensure enterprise continuity,
disaster recovery and incident response in the face of a disaster or other
major incident or disruption. |
|
|
|
|
DSS04.03 |
Develop and implement a business continuity
response. |
Develop a business continuity plan (BCP) and
disaster recovery plan (DRP) based on the strategy. Document all procedures
necessary for the enterprise to continue critical activities in the event of
an incident. |
|
|
|
|
DSS04.04 |
Exercise, test and review the business
continuity plan (BCP) and disaster response plan (DRP). |
Test continuity on a regular basis to exercise
plans against predetermined outcomes, uphold business resilience and allow
innovative solutions to be developed. |
|
|
|
|
DSS04.05 |
Review, maintain and improve the continuity
plans. |
Conduct a management review of the continuity
capability at regular intervals to ensure its continued suitability, adequacy
and effectiveness. Manage changes to the plans in accordance with the change
control process to ensure that continuity plans are kept up to date and
continually reflect actual business requirements. |
|
|
|
|
DSS04.06 |
Conduct continuity plan training. |
Provide all concerned internal and external
parties with regular training sessions regarding procedures and their roles
and responsibilities in case of disruption. |
|
|
|
|
DSS04.07 |
Manage backup arrangements. |
Maintain availability of business-critical
information. |
|
|
|
|
DSS04.08 |
Conduct post-resumption review. |
Assess the adequacy of the business continuity
plan (BCP) and disaster response plan (DRP) following successful resumption
of business processes and services after a disruption. |
|
Management |
Deliver, Service and Support |
DSS05 |
DSS05.01 |
Protect against malicious software. |
Implement and maintain preventive, detective
and corrective measures (especially up-to-date security patches and virus
control) across the enterprise to protect information systems and technology
from malicious software (e.g., malware, ransomware, viruses, worms, spyware,
spam). |
|
|
|
|
DSS05.02 |
Manage network and connectivity security. |
Use security measures and related management
procedures to protect information over all methods of connectivity. |
|
|
|
|
DSS05.03 |
Manage endpoint security. |
Ensure that endpoints (e.g., laptop, desktop,
server, and other mobile and network devices or software) are secured at a
level that is equal to or greater than the defined security and privacy
requirements for the information processed, stored or transmitted. |
|
|
|
|
DSS05.04 |
Manage user identity and logical access. |
Ensure that all users have information access
rights in accordance with the business unit's privacy policy and business
requirements. Coordinate with business units that manage their own access
rights within business processes. |
|
|
|
|
DSS05.05 |
Manage physical access to I&T assets. |
Define and implement procedures (including
emergency procedures) to grant, limit and revoke access to premises,
buildings and areas, according to business need. Access to premises,
buildings and areas should be justified, authorized, logged and monitored.
This requirement applies to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party. |
|
|
|
|
DSS05.06 |
Manage sensitive documents and output devices. |
Establish appropriate physical safeguards,
accounting practices and inventory management regarding sensitive I&T
assets, such as special forms, negotiable instruments, special-purpose
printers or security tokens. |
|
|
|
|
DSS05.07 |
Manage vulnerabilities and monitor the
infrastructure for security-related events. |
Using a portfolio of tools and technologies
(e.g., intrusion detection tools), manage vulnerabilities and monitor the
infrastructure for unauthorized access. Ensure that security tools,
technologies and detection are integrated with general event monitoring and
incident management. |
|
Management |
Deliver, Service and Support |
DSS06 |
DSS06.01 |
Align control activities embedded in business
processes with enterprise objectives. |
Continually assess and monitor the execution of
business process activities and related controls (based on enterprise risk),
to ensure that processing controls align with business needs. |
|
|
|
|
DSS06.02 |
Control the processing of information. |
Operate the execution of the business process
activities and related controls, based on enterprise risk. Ensure that
information processing is valid, complete, accurate, timely and secure (i.e.,
reflects legitimate and authorized business use). |
|
|
|
|
DSS06.03 |
Manage roles, responsibilities, access
privileges and levels of authority. |
Manage business roles, responsibilities, levels
of authority and segregation of duties needed to support the business process
objectives. Authorize access to all information assets related to business
information processes, including those under the custody of the business, IT
and third parties. This ensures that the business knows where the data are
and who is handling data on its behalf. |
|
|
|
|
DSS06.04 |
Manage errors and exceptions. |
Manage business process exceptions and errors
and facilitate remediation, executing defined corrective actions and
escalating as necessary. This treatment of exceptions and errors provides
assurance of the accuracy and integrity of the business information process. |
|
|
|
|
DSS06.05 |
Ensure traceability and accountability for
information events. |
Ensure that business information can be traced
to an originating business event and associated with accountable parties.
This discoverability provides assurance that business information is reliable
and has been processed in accordance with defined objectives. |
|
|
|
|
DSS06.06 |
Secure information assets. |
Secure information assets accessible by the
business through approved methods, including information in electronic form
(e.g., portable media devices, user applications and storage devices, or
other methods that create new assets in any form), information in physical
form (e.g., source documents or output reports) and information during
transit. This benefits the business by providing end-to-end safeguarding of
information. |
|
Management |
Monitor, Evaluate and Assess |
MEA01 |
MEA01.01 |
Establish a monitoring approach. |
Engage with stakeholders to establish and
maintain a monitoring approach to define the objectives, scope and method for
measuring business solution and service delivery and contribution to
enterprise objectives. Integrate this approach with the corporate performance
management system. |
|
|
|
|
MEA01.02 |
Set performance and conformance targets. |
Work with stakeholders to define, periodically
review, update and approve performance and conformance targets within the
performance measurement system. |
|
|
|
|
MEA01.03 |
Collect and process performance and conformance
data. |
Collect and process timely and accurate data
aligned with enterprise approaches. |
|
|
|
|
MEA01.04 |
Analyze and report performance. |
Periodically review and report performance
against targets. Use a method that provides a succinct all-around view of
I&T performance and fits within the enterprise monitoring system. |
|
|
|
|
MEA01.05 |
Ensure the implementation of corrective
actions. |
Assist stakeholders in identifying, initiating
and tracking corrective actions to address anomalies. |
|
Management |
Monitor, Evaluate and Assess |
MEA02 |
MEA02.01 |
Monitor internal controls. |
Continuously monitor, benchmark and improve the
I&T control environment and control framework to meet organizational
objectives. |
|
|
|
|
MEA02.02 |
Review effectiveness of business process
controls. |
Review the operation of controls, including
monitoring and test evidence, to ensure that controls within business
processes operate effectively. Include activities to maintain evidence of the
effective operation of controls through mechanisms such as periodic testing,
continuous monitoring, independent assessments, command and control centers,
and network operation centers. This evidence assures the enterprise that
controls meet requirements related to business, regulatory and social
responsibilities. |
|
|
|
|
MEA02.03 |
Perform control self-assessments. |
Encourage management and process owners to
improve controls proactively through a continuing program of self-assessment
that evaluates the completeness and effectiveness of management’s control
over processes, policies and contracts. |
|
|
|
|
MEA02.04 |
Identify and report control deficiencies. |
Identify control deficiencies and analyze and
identify their underlying root causes. Escalate control deficiencies and
report to stakeholders. |
|
Management |
Monitor, Evaluate and Assess |
MEA03 |
MEA03.01 |
Identify external compliance requirements. |
On a continuous basis, monitor changes in local
and international laws, regulations and other external requirements and
identify mandates for compliance from an I&T perspective. |
|
|
|
|
MEA03.02 |
Optimize response to external requirements. |
Review and adjust policies, principles,
standards, procedures and methodologies to ensure that legal, regulatory and
contractual requirements are addressed and communicated. Consider adopting
and adapting industry standards, codes of good practice, and good practice
guidance. |
|
|
|
|
MEA03.03 |
Confirm external compliance. |
Confirm compliance of policies, principles,
standards, procedures and methodologies with legal, regulatory and
contractual requirements. |
|
|
|
|
MEA03.04 |
Obtain assurance of external compliance. |
Obtain and report assurance of compliance and
adherence with policies, principles, standards, procedures and methodologies.
Confirm that corrective actions to address compliance gaps are closed in a timely
manner. |
|
Management |
Monitor, Evaluate and Assess |
MEA04 |
MEA04.01 |
Ensure that assurance providers are independent
and qualified. |
Ensure that the entities performing assurance
are independent from the function, groups or organizations in scope. The entities
performing assurance should demonstrate an appropriate attitude and
appearance, competence in the skills and knowledge necessary to perform
assurance, and adherence to codes of ethics and professional standards. |
|
|
|
|
MEA04.02 |
Develop risk-based planning of assurance
initiatives. |
Determine assurance objectives based on
assessments of the internal and external environment and context, the risk of
not achieving enterprise goals, and the opportunities associated achievement
of the same goals. |
|
|
|
|
MEA04.03 |
Determine the objectives of the assurance
initiative. |
Define and agree with all stakeholders on the
objectives of the assurance initiative. |
|
|
|
|
MEA04.04 |
Define the scope of the assurance initiative. |
Define and agree with all stakeholders on the
scope of the assurance initiative, based on the assurance objectives. |
|
|
|
|
MEA04.05 |
Define the work program for the assurance
initiative. |
Define a detailed work program for the
assurance initiative, structured according to the management objectives and
governance components in scope. |
|
|
|
|
MEA04.06 |
Execute the assurance initiative, focusing on
design effectiveness. |
Execute the planned assurance initiative.
Validate and confirm the design of the internal controls in place.
Additionally, and specifically in internal audit assignments, consider the
cost-effectiveness of the governance component design. |
|
|
|
|
MEA04.07 |
Execute the assurance initiative, focusing on
operating effectiveness. |
Execute the planned assurance initiative. Test
whether the internal controls in place are appropriate and sufficient. Test
the outcome of the key management objectives in scope of the assurance
initiative. |
|
|
|
|
MEA04.08 |
Report and follow up on the assurance
initiative. |
Provide positive assurance opinions, where
appropriate, and recommendations for improvement relating to identified
operational performance, external compliance and internal control weaknesses. |
|
|
|
|
MEA04.09 |
Follow up on recommendations and actions. |
Agree on, follow up and implement the
identified recommendations for improvement. |
Posting Komentar untuk "Instrumen dan Daftar Pertanyaan untuk COBIT 2019"