COBIT Case Studies
These testimonials are excerpted from case studies of COBIT. They demonstrate its benefits, common applications and uses. To submit a COBIT case study, email publication@agemboutique.com.
European Network of Transmission System Operators for Electricity (ENTSO-E)
11 April 2016
The IT director of the European Network of Transmission System Operators for Electricity (ENTSO-E) undertook a pragmatic approach toward implementing COBIT 5 at the organization beginning in 2014. Taking a practical approach toward implementing a program for governance of enterprise IT (GEIT) based on COBIT 5, ENTSO-E focused on prioritizing the processes, the development of these processes and—most important—the practical issues to overcome during the implementation of a new way of working.
Ministry of Manpower Sultanate of Oman
22 February 2016
As part of a mandate to implement a national IT infrastructure project and supervise all projects related to implementation of the Digital Oman Strategy while providing professional leadership to various other e-governance initiatives of the Sultanate of Oman, the Ministry of Manpower’s network and information security department and systems and applications development department set out to implement an information security management system across the entire Ministry. Various options for implementing IT governance and available frameworks were categorically and systematically reviewed and, finally, the process engineering group (PEG) recommended COBIT 5, specifically its 5 principles, as the solution for the implementation of GEIT.
Dubai Customs
18 January 2016
Dubai Customs is responsible for facilitating trade and helps secure the integrity of Dubai’s borders against smuggling attempts. To support business objectives effectively, individual departments within Dubai Customs are encouraged to seek, prepare for and implement global best practices that are relevant to that specific division on their own. Over the years, Dubai Customs has used a number of frameworks and each is managed by individual departments within the organization. Dubai Customs management determined that it would be better to have a single integrated governance framework and system working across the organization that could connect all of the implemented best practices in the organization and deliver value to the entire organization. COBIT 5 was agreed upon as the preferred framework.
Anonymous—shared service center
9 November 2015
In the summer of 2014, the chief information officer (CIO) of a shared service center (SSC) owned by 3 different, culturally diverse types of companies asked the author to perform an assessment based on COBIT 5. The most pressing question the CIO needed to answer for his organization’s board of directors (BoD) was, “Are we in control of IT?” One year later, the consultant& rsquo;s goal is to evaluate whether the CIO and the managers of the SSC are making progress in answering the board& rsquo;s question with, “Yes, we are in control of IT because of ….” This article describes the work that had to be done (using combined knowledge of ISO/IEC 38500, COBIT 4.1 and COBIT 5) to make COBIT 5 more applicable and support the one-year-later assessment at the SSC.
Generali Group
2 November 2015
In a global company, apart from the different business unit perceptions, there is also an additional issue to be dealt with: language. When an audit methodology is defined, the diversity of stakeholders needs to be taken into account. One of the most significant aspects of an auditor’s work is to try to define a common framework and a common language for all IT auditors. That was the main goal of the IT audit methodology developed in the case of the Generali Group.
Years ago, the methodology developed by Generali’s corporate internal audit function was based on COBIT 4.1. This framework was selected for the development of the tasks and activities within all of Generali Group’s IT internal audit departments worldwide. When COBIT 5 was released, the adoption of the new framework was only a matter of time. The migration project was launched in 2014. Through the migration, the adoption of COBIT 5 was found to be a win-win situation for the company. Apart from the expected benefits (common IT audit framework), additional benefits, including alignment with other business units, were realized.
Al Rahji Bank
10 August 2015
Founded in 1957, Al Rajhi Bank is one of the largest Islamic banks in the world with total assets of SR 288 billion (US $76.8 billion), a paid up capital of US $4.3 billion and an employee base of more than 8,400 associates. With an established base in Riyadh, Saudi Arabia, Al Rajhi Bank has a vast network of more than 500 branches, over 100 dedicated ladies’ branches, more than 4,030 automated teller machines (ATMs), 36,000 point-of-sale (POS) terminals installed with merchants and the largest customer base of any bank in the kingdom, in addition to 130 remittance centers across the kingdom.
The IT governance function of the bank was newly established in 2014, and the bank needed to comply with regulatory compliance requirements established by the Central Bank of Saudi Arabia. The bank recognized the need to use an integrated model to meet the various needs established, especially compliance and audit requirements, so the bank turned to COBIT.
Saudi Arabian Municipality
25 May 2015
The Municipality of Eastern Region (MER) based in Dammam, Saudi Arabia, is a government-owned institution that has been in existence for 50 years. Its main purpose is to serve citizens within the scope of its region. Some of the most prominent services rendered to citizens are health care, sanitation, water, electricity, roads and schools, among others. These services are provided to 7 million residents. All of the information related to these 7 million citizens is managed by the municipality’s IT department.
A massive amount of information is created by the municipality, and managing this information correctly, consistently and efficiently is a challenge. The municipality has to pay proper attention to, and focus on, information management. Thus, the municipality chose to adapt and implement an enterprise governance and service management framework to bring discipline, structure and an organized approach to information management. In this case, the municipality looked to both COBIT 5 and the Information Technology Infrastructure Library (ITIL).
Kingdom of Bahrain’s eGovernment Authority
18 May 2015
The Kingdom of Bahrain’s eGovernment Authority is focused on ensuring the effective delivery of government services to citizens, residents, businesses and visitors (collectively, the customers). The aim is to improve the lives of a nation’s citizens by doing much more than simply implementing technology.
This involves a broad range of responsibilities and activities owned and performed by multifunctional and multidisciplinary teams across the country, along with the strong leadership needed to implement them. In addition, it involves addressing many challenges—both internal and external. The Information Communication Technology Governance Council (ICTGC), which is chaired by the chief executive officer (CEO) and vice CEO of the eGovernment Authority, wished to implement a basic framework by which key decisions are governed and IT is managed across government entities through an appropriate balanced scorecard (BSC) model. COBIT 5 was chosen as the overarching framework, because it emphasizes the importance of governance and IT management together.
Information Systems Group
4 May 2015
Information Systems Group, an IT security consulting services firm for large enterprises in Australia, particularly in the health care, utility and large government sectors, undertook an engagement to evaluate the quality of its client’s implementation of ISO 27001. In this case, IT represented approximately 100 staff members out of a work force of 2,500, so IT initially adopted a pragmatic approach to the application of the standards, which left quite a few gaps when benchmarked against a rigorous technical application of the ISO 27001 standard.
Following the review, the consultancy was asked how it would address these gaps and why doing so would deliver benefits to the enterprise. ISO 27001 pertains to the domain of security, and while it is important, it is only one of many modern businesses areas that need to be addressed. The client had identified that it also wanted to address the Information Technology Infrastructure Library (ITIL), and it had an existing access control initiative that had good sponsorship. Last, the client’s internal audit division used COBIT and was a significant sponsor for the implementation of ISO 27001. Accordingly, there was a desire to understand how all of these competing initiatives could work together practically.
Anonymous—an organization offering managed print services and document solutions
20 April 2015
Two years ago in Mexico City, an organization that offers managed print services and document solutions. decided to start an effort to reinforce its governance and management model, starting with strategic planning. For this organization, planning and strategic alignment, among their many different aspects, were something relatively new and out of practice, but necessary in order to continue organizational growth (which was greater than 10-12 percent annually during the preceding 5 years).The decision was made, with the help of a consultant, to create a whole new approach to review and adjust the strategic plan.
The initial idea was to choose an alternative way to run the exercise; learning from previous mistakes, revising the original approach and strategies, and combining different techniques and methods, applied in an integrated and simple way, to generate the company’s updated strategic planning. But this time, the exercise would add a particular variant: concepts from COBIT 5, specifically, 2 of the 5 principles and the 7 enablers, in order to reinforce important concepts among the executive group and other organizational areas.
Anonymous—a government organization, a financial institution and a large conglomerate
6 April 2015
Many organizations need help meeting performance and compliance requirements. A consulting company in the United Arab Emirates worked with three different organizations to help each organization meet its governance, risk and compliance (GRC) requirements. The organizations included a government organization (5,000-plus employees with 170-plus IT staff members), a large financial institution (8,000-plus employees, operating in 3 countries with 250-plus IT staff members) and a large conglomerate (25,000-plus employees, operating in 10 countries with 200-plus IT staff members).
In each case, the consultancy determined that the best way to help these clients move from where they were to meeting GRC requirements was by using COBIT 5.
E-Commerce Website
16 March 2015
A company based in Lagos, Nigeria, is in the business of sales and distribution of its brand of shoes through physical outlets in the Lagos area. In a bid to expand its operations to areas outside of its physical outlets and to also have a better competitive showing in the Nigerian marketplace, the enterprise’s decision makers decided to use the Internet as the platform of choice to achieve this need.
To be able to manage challenges (risk factors) effectively while optimizing costs and still creating value for all stakeholders, the enterprise, with the assistance of a consultancy, chose to seek guidance from the COBIT 5 framework. The enterprise’s needs revolved around realizing benefits from managing the e-commerce web site using optimal resources and making sure all risk associated with hosting the site on the Internet are managed.
Yount, Hyde & Barbour, Part 2
23 February 2015
A mid-sized regional accounting firm with 18 shareholders and 140 employees, the enterprise has 6 locations—1 recently relocated and a 7th location planned for inclusion in first quarter 2015. The staff is to be very mobile with at least 20 people working remotely or at a client’s location at any given time. Given these conditions, there is a complexity to the IT function that is greater than the size of the organization would suggest.The firm looked to use COBIT to organize the IT function using a framework to create efficiency and meet the needs and expectations of stakeholders. Using the 7 phases outlined in ISACA’s COBIT 5 Implementation, the firm began by identifying the drivers. The 3 major drivers identified were:
- A general disconnect existed between IT and the needs of the professionals.
- IT spending, while within budget, did not align with firm needs.
- IT expectations and demands among the firm’s shareholders varied.
New York State Government Agency
19 January 2015
Imagine being on the ground floor of a new government agency in the US, first conceived in 1994 and implemented in 2012, with the initial responsibility of developing an information system that would eventually process well over US $1 billion in payments monthly, produce enterprisewide reporting, and be implemented as Software as a Service (SaaS) to more than 85,000 users in 72 external agencies and by more than 100,000 vendors. Further, imagine that your responsibility included ensuring that the fledgling enterprise accomplished this mission while following its documented processes and procedures.
Where to begin? How would one know whether existing processes were sufficient? COBIT was selected to be implemented as a holistic framework to manage and govern the software. Until 2012, the enterprise used COBIT 4.1 on a limited basis only. In September 2012, the decision was made by executive management to expand the application of COBIT in a more holistic manner and to adopt COBIT 5 and all 37 processes across the enterprise.
Anonymous—managed service provider
20 October 2014
This managed service provider offered outsourced IT services for the small to mid-sized market nationally. The data center was a multitenant environment that provided outsourced email, infrastructure, applications, development, project management and service desk functions. The structure was typical to this type of organization in the private sector, with administration, finance, sales and marketing, operations, and IT functions. Security, risk and compliance efforts were largely delegated to IT and were typically discussed only when issues arose. There were several frameworks and standards in use, although their adoption was fragmented. The organization was suffering from what stakeholders called “framework exhaustion,” and, thus, COBIT adoption was expected to be a hard sell but surprisingly was not.
The Independent Electricity System Operator (IESO)
22 September 2014
Changing IT service providers is never a simple undertaking. It is even more challenging when the organization making the change is responsible for processing meter reads and supporting the billing of more than four million customers on time-of-use rates. The IESO used COBIT 5 for the procurement of IT services, helping to accelerate the procurement process and improve the contract and how it is managed.
Ecopetrol S.A.
July 2014
As part of an updated strategy, Ecopetrol S.A., a vertically integrated energy company, began a corporate transformation with the goals of growth and strengthening its internal control system. It knew it needed a clear approach for governance and management of IT services as well as best global reference standards and a framework, so it used the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and COBIT frameworks, which helped consolidate strong IT governance practices that were totally aligned with the corporative internal control initiatives.
DuPont
April 2014
Over time, business has increasingly advanced the application of IT to meet ever-changing business needs and regulatory requirements. A systematic and continuous improvement program helps an organization focus on “doing things right” and continually improving its effectiveness and efficiency. To successfully meet this need, DuPont recognized that it must leverage a robust, dependable process assessment framework. The COBIT 5 process assessment model (PAM) is evidence-based and enables a reliable, consistent and repeatable assessment in the area of governance and management of enterprise IT (GEIT) to support continuous process improvement.
HDFC Bank
January 2014
As an early adopter of COBIT 4.1, HDFC Bank’s IT governance journey started almost six years ago, when COBIT 4.1 was just introduced. Almost all of the 34 IT processes defined in COBIT 4.1 were adopted by the bank.
Following COBIT 5’s introduction in April 2012, HDFC Bank took some time to consider a migration. Because the bank has successfully implemented COBIT 4.1 to great benefit, it will not immediately migrate to COBIT 5. However, the seven enablers introduced by COBIT 5 were intuitively adopted by HDFC Bank even before these were popularised in COBIT 5.
Anonymous, Middle East Bank
January 2014
As a result of its initiative to improve information security with the help of COBIT, a Middle East bank realized several benefits, including:
- Improved integration of information security within the organization
- Informed risk decisions and risk awareness
- Improved prevention, detection and recovery
- Reduced (impact of) information security incidents
- Enhanced support for innovation and competitiveness
- Improved management of costs related to the information security function
- Better understanding of information security
Yount, Hyde & Barbour
October 2013
With the introduction of COBIT 5, the framework is moving toward a more global application to the enterprise. But, can a smaller organization still take advantage of COBIT 5 to help direct its IT function? This is an account of one organization’s beginning steps toward implementing COBIT 5.
Yount, Hyde & Barbour is a mid-sized regional accounting firm with 21 shareholders and 140 employees. The firm has six locations, with at least 20 people working remotely or at a client’s location at any given time. Thus, there is a complexity to the IT function that is greater than the size of the organization would suggest.
The ICT Study of Public Health Institutions in Mexico
October 2013
Health services are a crucial activity worldwide and reflect the level of awareness and social development of a country. The ICT Study of Public Health Institutions in Mexico was conducted under the sponsorship of Strategic Consulting Information Technology (ConSETI) and Brio Software Mexico (Brio). ConSETI and Brio are using this study to help evolve health services in Mexico. The study includes a gap/risk analysis of the current ICT situation, proposing recommendations that will lead to the improvement and implementation of better ICT objectives in the public health institutions. For this purpose, the sponsors became convinced of the importance of using COBIT 5, recognizing it as the best practice framework for the governance and management of enterprise IT (GEIT), and utilized it for the ICT assessment of public health institutions in Mexico.
ISACA
In 2009, ISACA developed a strategy focused on becoming the global leader in products and services that support trust in, and value from, information systems. By 2011, having accomplished many of the 2009 goals, ISACA began work on an extension of the 2009 strategy. In recognition of the strategy’s 10-year horizon for completion, it is referred to as Strategy 2022, or S22, for short.
Maitland
Maitland utilized COBIT to create a shared understanding of information and communication technology (ICT) and its purpose and impact on the enterprise and to increase business oversight and accountability for ICT. Maitland is increasingly using the COBIT framework as a guide to structure and position the enterprise’s thinking in many ICT subject areas. Also, Maitland has found that the governance principles in COBIT are universally applicable—not exclusive to the ICT domain—and is in the process of applying them enterprise wide.
Anonymous or FamilyGrocer
As a regional US grocery chain based in a major metropolitan area, FamilyGrocer (name changed) had experienced rapid growth through new store openings and acquisitions. In light of the risk associated with its consolidated operation, the IT organization received a mandate from the board of directors to formally manage IT-related risk. The mandate specifically called for an initial high-level assessment of IT organizational risk, drawing largely from internal expertise. The board also requested that the IT organization demonstrate an ongoing program to manage risk. As a result, the IT organization conducted a COBIT-based operations workshop to assess its risk management.