information technology strategy of the national audit … · information technology strategy of the...
TRANSCRIPT
APPROVED by Order No. V-204 of Auditor General of the Republic of Lithuania of 25 November 2014
NATIONAL AUDIT OFFICE OF LITHUANIA
INFORMATION TECHNOLOGY STRATEGY OF THE
NATIONAL AUDIT OFFICE 2015–2020
25 November 2014
Vilnius
2
Contents
1. INTRODUCTION .............................................................................................................................................. 3
2. ANALYSIS OF THE ENVIRONMENT .................................................................................................................. 5
2.1. External environment .............................................................................................................................. 5
2.1.1. Legal environment of information technology ................................................................................ 6
2.1.2. Development trends in information technology.............................................................................. 7
2.2. Internal environment .............................................................................................................................. 9
2.2.1. Information architecture ................................................................................................................ 10
2.2.2. Information technology resources ................................................................................................. 12
2.2.3. Information technology governance maturity ............................................................................... 16
3. SWOT analysis .............................................................................................................................................. 16
4. IT STRATEGIC GOALS AND INDICATORS ....................................................................................................... 19
5. IMPLEMENTATION, MONITORING AND ASSESSMENT ................................................................................ 22
ANNEXES ...................................................................................................................................................... 23
3
1. INTRODUCTION
The National Audit Office of Lithuania (NAO), as the Supreme Audit Institution, has always paid
special attention to planning its activities. The NAO planning system is based on a coherent set of
planning documents of varying length (Fig. 1), the implementation of which allows the institution
to increase its business efficiency and to ensure results-oriented management.
The Public Audit Strategy (PAS) is the key long-term planning document of the NAO performance,
defining the vision, mission, values, and strategic objectives of the institutions for five years.
Implementation and monitoring of this Strategy is carried out by developing annual reports and
approving annual action plans.
In addition to the most important short-term planning documents, such as the Public Audit
Programme and annual departmental plans, there is a Business Risk Management System
introduced at the NAO, which is another element of the planning system and means that every
year the relevant appointed key business process owners review and assess the identified risks
and provide activities for response to the most significant risks. The Risk Management Plan is
approved by the NAO Strategic Planning and Business Risk Management Committee. The activities
provided for in all planning documents are reflected in the annual plans of the relevant structural
units, whose management reports on the implementation of the plan to the Council of the
National Audit Office.
Public Audit Strategy
Annual PAS
Implementation Plan
Annual departmental
plans
Risk Management
Plan
Strategic Plan
Public Audit
Programme
IT Strategy
IT Strategy
Implementation Plan
Long-term planning documents
(3 years and more)
Short-term planning documents
(up to 3 years)
4
Figure 1. Cascade of the planning documents
The NAO planning documents given in Figure 1 above cover all the most important business areas
of the institution and the business processes. In this respect, the NAO information technology
governance is no exception. However, the existing planning documents do not reveal the
information technology (hereinafter - IT) governance aspects in a sufficiently systematic and
detailed manner and are not based on the best IT governance practices.
Modern information technology is one of the key instruments that ensures efficiency and
effectiveness of private and public sector organisations. However, organisations must ensure that
their information technologies are properly managed and closely linked to the organisation’s
objectives and needs. Therefore, a large number of successful organisations also prepare
specialised information technology strategies of different duration and actions plans in addition to
their general business planning documents. The implementation of such strategies and action
plans allows to bring IT governance in the organisation to a higher level of maturity, to map
business and IT goals, which enables a more efficient use of information technology resources,
improvement of the service quality, and enhancement of IT security and reliability.
To improve the NAO strategic planning and business risk management and to ensure sustainable
development of its information technology and contribution to achieving the business goals of the
institution, a working group (hereinafter – the Working Group) was established by Order No. V-74
of the Auditor General of 14 April 2014 for drafting the Information Technology Strategy 2015–
2020 (hereinafter – the IT Strategy). The Working Group was composed of the NAO officials and
civil servants representing various business areas of the institutions (such as strategic planning,
public auditing, administration, information technology governance).
When drafting the IT Strategy and setting IT strategic goals, the Working Group used the
standardised links between enterprise business goals and information technology goals. The work
was based on the Control Objectives for Information and Related Technology (hereinafter –
COBIT), which is a methodology and set of best practices for IT governance and management
published by the Information Systems Audit and Control Association (hereinafter – ISACA). The
strategic goals formulated by the Working Groups were arranged in the perspectives of the
balanced scorecard given in COBIT 5.
5
2. ANALYSIS OF THE ENVIRONMENT
2.1. External environment
The importance and application of information technologies in Lithuania has been continually
increasing.
According to Statistics Lithuania1, at the beginning of 2012, 91 per cent of public administration
institutions with the staff of 10 or more employees had a website or a web page on a website
shared by institutions from various regions of the country providing specific public services.
In 2012, the proportion of services moved to the electronic environment in Lithuania stood at 82
per cent. In Lithuania, the following e-services are already provided at the highest possible maturity
level: individual income declaration, job search, issue of driving licences, reporting to the police,
declaration of the place of residence, declaration of social contributions for employees,
declaration of profit and value added taxes, establishment of a new company, submission of
customs declarations, execution of public procurement.
At the beginning of 2012, 98 per cent of institutions were using broadband internet connection,
more than 60 per cent had fibre-optic lines, and 44 per cent were using mobile internet
connection. The share of the staff using computers at work accounted for 83 per cent and of those
using the internet was 72 per cent.
Although most of the institutions have been providing public and administrative services in a
traditional manner (by mail, telephone, or accepting visitors in the institution), electronic servicing
via social networks (e.g. Facebook, MySpace) is becoming more and more popular. At the
beginning of 2012, 10 per cent of institutions provided information and consultancy in social
networks.
At the beginning of 2012, 75 per cent of the institutions performed electronic exchange of
documents with other State and municipal authorities and agencies.
Document management (preparation, registration, scanning) systems were used by 72 per cent of
the institutions, enterprise resource planning (ERP) systems – 17 per cent, customer relationship
management (CRM) systems –3 per cent of the institutions.
The employees of 57 per cent of institutions were using secure digital signature in sent
documents; 57 per cent of institutions had remote access to the institution’s e-mail system,
documents or special applications.
1 Statistics Lithuania. Information Technology in Lithuania, ISSN 2029-3615, 2012.
6
To reduce their costs, many institutions use open-source software. Based on the survey data, 42
per cent of institutions were using open-source operating systems, 87 per cent – browser, 53 per
cent – office software, 36 per cent – other open-source programmes in at least part of their
computers.
2.1.1. Legal environment of information technology
Before the adoption of the Law on Management of State Information Resources of the Republic of
Lithuania2, the main requirements for development, management and security of state
information systems were approved by resolutions of the Government of the Republic of Lithuania
and were applicable to all institutions and agencies subordinate to the Government.
After the adoption of the law, the legal regulation of information resources management applied
to all state institutions, state agencies, state enterprises, public institutions, which establish,
create and/or manage state registers, departmental registers, state information systems and other
information systems and which are authorised to perform public administration.
For the National Audit Office, which is accountable to the Seimas of the Republic of Lithuania, this
meant new requirements set for the development and security of information systems and new
internal legislation which had to be drawn up and approved by the institutions concerned.
As on 31 October 2014, the following internal legal acts implementing the requirements of the
Law on Management of State Information Resources were adopted by the NAO:
– Regulations for secure handling of business planning and monitoring information in the
information system of the National Audit Office, Business continuity plan for this system, and User
administration rules approved by Order No. V-15 of the Auditor General of 24 January 2014;
– amended Regulations for data security of the information system of the National Audit Office
approved by Order No. V-19 of the Auditor General of 30 January 2014;
– amended Rules for secure handling of electronic information in the information system of the
National Audit Office approved by Order No. V-88 of the Auditor General of 8 May 2014, Business
continuity management plan for the information system of the National Audit Office, and
amended Rules for administration of users of the information system of the National Audit Office.
Compliance evaluation of the NAO information technology security to the established
requirements was carried out in 2014 to ensure organisation and control of implementing the
requirements of security policy documents in accordance with the Methodology for information
technology security compliance assessment approved by Order No. 1V-156 of the Minister of the
Interior of the Republic of Lithuania on 6 May 2004 “On the approval of the Methodology for
2 Republic of Lithuania Law on Management of State Information Resources No XI-1807 of 15 December 2011.
7
information technology security assessment” and Lithuanian standard LST ISO/IEC 27001: 2006
(ISO/IEC 27001:2006-11) “Information technology. Security techniques. Information security
management systems. Requirements”.
The requirements laid down in the Lithuanian Law on Management of State Information
Resources cover not only the development, management and security of information systems, but
also strategic planning of information resources, management of information technology
resources, and security assessment.
In order to strengthen links between business processes of the entities managing state
information resources and information technologies, the law defines an important function of the
authorised person for data management (data owner) and their rights and duties in planning
information resources development, supervising development, drafting budgets of the state
information system or register, and supervising compliance to legal requirements. The law
provides for that the authorised person for data management – the head of a structural unit in
charge of an institution’s business function, and in case such a structural unit does not exist, a
relevant employee in charge of such function – should be appointed for every register, state
information system, or subsystem.
Even before adoption of the above-said law, the National Audit Office following good practices set
responsibilities of business units for the data and information they manage pursuant to Order No.
V-60 of the Auditor General of 3 April 2007. The procedure was revised by Order No. V-172 of the
Auditor General of 14 October 2014, providing further rights and responsibilities for the units.
2.1.2. Development trends in information technology
Short-term global trends in information technology are continually reviewed by various
international research and analysis centres and market research groups, such analyses are
commissioned by governments worldwide, who later publish the analyses results. Most of them,
e.g. the US company CSC having 50 years of experience and 80,000 employees around the world,
predict that in 2014-2020 information technology will develop rapidly in the following directions,
in addition to the usual ones:
Outside-In
Until recently, innovation, information and IT value were created internally in the organisation.
However, many of today’s IT technologies and techniques — including cloud3, social networks4,
3 Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
computing resources (e.g. networks, servers, storage, applications, and services), that can be managed with minimal service provider interaction. 4 Facebook, Twitter, Linkedin, Google+, Instagram, MySpace, etc.
8
crowdsourcing5 – are happening outside the organisation, and this trend has been increasing. IT
managers will need to re-architect their organisations’ internal networks, making them more like
the Internet. And these changes will need to be done quickly.
BYOD shifts to BYOT
The BYOD (short for “bring your own device”) trend is just the tip of a much larger iceberg. Many
employees want not only to use their personal mobile devices at work, but also to use their own
applications and to connect to their personal Internet services. As a result, BYOD shifts to BYOT
(“bring your own technology"). The restructuring of IT security in accordance with this principle
will cause of a lot of concerns in the fields of security, working time accounts, and work
organisation.
Multi-clouds
Multiple clouds – public clouds, private clouds, and hybrid clouds – will become increasingly
commonplace, and organisations will have more than one of each. Some of these clouds will be
built by internal IT departments, while others will be sourced from external third parties. This will
deliver new efficiencies for organisations. But it will also create new challenges, such as how to
avoid losing control over information and data in such multi-cloud landscape. Thus new cloud
management platforms will emerge, as well as organisation app stores, which will help IT
managers deploy IT workloads into various clouds in a quick and safe manner.
Big data gets fast
Big data will be processed more quickly, conclusions the development of which used to take
several days will now be drawn in a few hours due to faster calculations. Such rapid information
processing will lead to the emergence of many new applications designed to handle large amounts
of data.
The Internet of things
Computers usually process information. But in future, thanks to the rapid emergence of Internet-
connected sensors and things, computers will also process physical systems and devices. What has
been called the Internet of Things is already transforming automobiles, personal healthcare
devices, TVs, and electrical equipment. Countless other goods will be connected to the Internet,
too. Manufacturers, trying to keep up with these technologies, have been connecting to the
Internet more and more of their production facilities and work equipment, which opens up new
opportunities to develop and use programs for controlling such equipment and/or performing an
audit.
5 People's suggestions.
9
Governments as IT leaders
Government agencies and organisations often receive a bad rap as IT backwaters. In near future,
that is going to change. For the first time in decades, governments will emerge as IT leaders.
Openness is the key. Government agencies and organisations are quickly moving to open systems,
open innovation, and open software. All this openness enables more efficient interaction with
citizens, while citizens are provided with unlimited opportunities to contribute their ideas,
insights, even code to their governments. Behind this change is a shift from excellent or perfect
technology to IT that is “good enough.” For the public sector, this shift will be massive.
Given the rapid development of new information technologies around the world in recent
decades, it is likely that these development trends will soon to be visible in Lithuania as well.
2.2. Internal environment
The information technology governance and control system of the National Audit Office is based
on examples of good practice provided in the COBIT framework developed by ISACA, suggested
instruments and process-oriented management models. The key principles of the IT governance
and control framework are as follows:
- Primacy of the main business of the organisation over IT-related activities;
- Process-oriented management and control model;
- IT internal control is integrated into the overall internal control system;
- Assessment of the IT management and control system.
The primacy of the main business of the organisation over IT-related activities means that IT goals
are set taking into account general objectives of the NAO performance, i.e. it is ensured that the
business operator (customer) will accurately determine the needs and direction, meanwhile IT
(service provider) - what should be done and how.
This principle is enforced by the Information Technology Management Committee of the National
Audit Office (hereinafter – the IT Committee) in its activities and is also invoked in the internal
legislation setting roles and responsibilities of the Information resources management coordinator
and information resources (data) owners.
Activities of the National Audit Office (in relation to IT) are described following the process-
oriented management and control model which is used to appoint process managers, to set their
roles and responsibilities, process inputs and outputs. This allows to use and to integrate other
process-based management models and techniques, such as the Business Risk Management
System of the National Audit Office and the Quality Management System which is in line with the
IS0 9001 Standard.
10
The IT internal control system is based on the overall internal control system and comprises it’s
integral part. This ensures primacy of the main business of the organisation over IT-related
activities, so general internal control instruments (policies, internal procedures, organisational
structures, best practices used) are designed to be consistently applied to the IT field. For
example, the Business Risk Management System of the National Audit Office – one of the
components of its internal control – is consistently applied to the IT field.
The IT management and control system is subject to assessment – the National Audit Office has
relevant methodology and practice in applying it, assessments performed are repeatable. The IT
management and control system was first assessed in 2003, with the assistance of experts from
the Netherlands Court of Audit, then in 2006 an independent assessment was carried out, which
identified a number of maturity gaps in the IT management, which were taken into account when
developing the IT Management Strategy of the National Audit Office 2007-2011.
The National Audit Office has extensive experience in assessing public sector business processes
and linking them to IT processes. This experience is used not only in maturity assessments of the
internal IT management and control system, but also in audits of IT management and control
systems (general controls, IS development control) of public sector.
2.2.1. Information architecture
Information architecture is the main source of information about IT responsiveness to business
requirements, and provides reliable and consistent information needed for decision-making by the
management and seamless integration of applications into business processes.
Information architecture can be seen as a layer of broader and more complex enterprise
architecture6, pointing out it’s importance of integrating business and technology.
In the COBIT framework, information architecture is similarly understood as part of broader IT
architecture, it is also one of the four COBIT resources (information, applications, infrastructure
and people) aligning the enterprise’s business and technology (Fig. 2).
6Enterprise architecture is defined as business logic and practice that deals with the enterprise’s business using
information and other resources in order to increase the maturity of the enterprise, integrating its strategy, business and technology EABOK – Enterprise Architecture Body of Knowledge, © 2014 The MITRE Corporation. http://www2.mitre.org/public/eabok/planning_an_ea/purpose.html
11
Figure 2. Enterprise architecture for IT, source – COBIT 4.1, © 2007 ISACA, p. 11
Requirements for the information architecture are determined by COBIT 4.1 process PO2. The
achievement of PO2 goals requires establishing and enhancing the data administration function
assigned to the business, using standardised and
documented methods, procedures and tools, as well as
staff training.
An important aspect of aligning business and
information technology, which is enforced in the
Lithuanian Law on Management of State Information
Resources, defines the function of the authorised
person for data management (data owner) and
establishes the duties and responsibilities of this person.
The internal IT legislation is debated and agreed at the IT Management Committee taking into
account the requirements of the law and applicable COBIT best practices, and then approved by
orders of the Auditor General.
The appropriate positioning of information architecture ensures well-balanced use of information
resources, aligning them with the business strategy in a highly flexible manner, strengthening
accountability for data integrity and security, and enhancing efficiency and control of data
exchange between different systems.
In order to ensure the confidentiality, integrity and availability of the National Audit Office data
and active participation of its structural units in decision-making on NAO information
management, on 3 April 2007 the Auditor General issued Order No. V-60 “On the responsibility of
the units for the processing of their data and information” (as amended by Order No. V-172 of 14
October 2014), thus enhancing the role of the structural units in the information management
process.
PO2 goals:
• Establish an enterprise data model
• Reduce data redundancy
• Support effective information
management
12
To create an environment in which all, without exception, information resources are given
adequate attention in order to make the right decisions for their development, design,
maintenance, and security, the National Audit Office should classify all its managed and processed
data according to its importance and define data integrity and consistency principles
2.2.2. Information technology resources
The links between the NAO business requirements, information technology processes, and
information technology resources is best illustrated by the COBIT cube7, where the enterprise’s IT
resources are managed by IT processes to achieve IT goals consistent with the business
requirements (Fig. 3).
Figure 3. COBIT cube
Information technology resources are defined as a whole of people, information, infrastructure,
and applications. To provide the information that the enterprise requires to achieve its objectives,
the enterprise needs to invest in and manage and control IT resources using a structured set of
processes to provide the services that deliver the required enterprise information.8
The importance of IT resources is also emphasised in COBIT 5, where people, information,
applications, and infrastructure are defined as three of the seven enablers that have to be
managed in a holistic way (i.e. taking into account their interdependence).
Applications
The applications of the National Audit Office include interconnected, to varying degrees,
components of the information systems ViPSIS and VKIS managed by the NAO, which
7 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, Fig. 22 COBIT
cube, p. 25. 8 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p 10.
13
automatically exchange their data (TeamMate, KOPA, KONTORA, STEKAS, ARAP, Internet and
intranet pages of the NAO, electronic mail) and individual specialised or standard office
applications that are not interconnected into the systems. A diagram of the software components
is given in Annex 1.
The main components of the NAO information systems ViPSIS and VKIS are installed in the virtual
environment. All workplaces have the Microsoft Office 2007 suite of applications and client
components of the business planning and monitoring system ViPSIS. Specialised workplaces run
additional software development and multimedia editing programs developed by Microsoft, Corel,
Adobe, etc., which are used for various NAO information system development and modernisation
tasks.
Over the last ten years, the NAO information system integration degree has changed from heavily
centralised and closed (VAKIS) to more flexible, consisting of separate modules connected in semi-
open way (ViPSIS and VKIS).
In view of the global trends in the development of information systems, it is proposed to maintain
the openness of the NAO information system modules which are being created or upgraded, the
simplicity of the links between them, and the assurance of standard interface. Such an approach
would not only be consistent with the principles of architecture applicable to information
resources, but also reduce the risk of purchasing a singular, closed and non-standard information
system, the development and maintenance of which would be more expensive than of analogues
due to lack of competition among service providers.
The modernisation of the information system should follow “Buy vs. Build“ principle”9 , and the
acquisition of the source code should be ensured when purchasing system modules or the service
of their development in cases provided for by the law.
Information
The information of the National Audit Office means the whole of the electronic and paper
documents received, created, used by and stored in the institution. Paper documents are stored in
workplaces and in the NAO archive. Electronic documents, depending on their type and purpose,
and stored both on servers and in computerised workplaces. In workplaces, data is stored both in
standard Microsoft Office formats and in specific formats typical of various NAO subsystems. The
prevailing data formats in computerised workplaces are standard ones.
The data stored on servers is copied to backup servers on a regular basis. The staff can
independently copy important documents to the backup servers from their computerised
workplaces.
9 COBIT 5 A Business Framework for the Governance and Management of Enterprise IT, © 2012 ISACA, p. 85.
14
The largest number (up to 80 per cent) of all electronic data is stored in the NAO information
systems VKIS and ViPSIS. The amount of net unduplicated electronic data in the National Audit
Office is about 1 TB. The disc space occupied by data warehouses, servers, and workstations which
is needed for handling this electronic data and storing its backups is approximately 4 TB.
Infrastructure
Infrastructure is composed of technology and equipment in the environment of which applications
are implemented. The hardware of the NAO information technology encompasses servers,
electronic data warehouses, computerised workplaces, and printers. The diagram of the hardware
is given in Annex 2.
Servers and electronic data warehouses were developed following the Hewlett-Packard
technology. The main servers are connected into clusters which ensure business continuity in the
event of equipment failure. The computerised workplaces of the administration are equipped with
desktop computers, auditors use portable computers. For convenience, portable computers have
external keyboards and monitors. Working documents are printed by multifunction printing
devices and conventional printers connected to a common computer network of the National
Audit Office.
The servers run Hyper-V virtual environment along Microsoft Windows Server 2008 R2. The
electronic data warehouses are hard drive arrays built using RAID-5 technology, which ensures
data protection in the event of warehouse failure. The servers also have IT infrastructure
components, such as ActiveDirectory, printer control processes, service discs of departments,
divisions and staff members, control programs for video surveillance cameras watching the
territory. These components are available to the authorised staff of the National Audit Office from
their computerised workplaces via web browsers and through specially tailored programmes.
Standard computerised workplaces use Microsoft Windows Vista and Microsoft Windows 7
operating systems. All workplaces have Microsoft Internet Explorer and Mozilla Firefox browsers.
The National Audit Office started using different information systems after abandoning technical
support for the audit documentation subsystem TeamMate. This hinders smooth operation of the
information systems, creates an additional administrative burden on the Information Technology
Division. 2015. The final transition to the new information system ViPSIS in 2015 will allow
harmonising the operating system versions installed in the computerised workplaces. There are
two alternatives to be considered: to purchase licences for separate operating systems along with
computers, as it is now, or to purchase a corporate licence with upgrade option.
Servers and data warehouses are in good technical condition which will remain unchanged for
another 3-4 years. With technical resources becoming scarcer, the use of cloud computing could
be considered as an alternative to procurement of new expensive servers and warehouses. The
situation is worse in computerised workplaces: compared to 1-2 year old computers used in the
administrative units, auditors are working with 4-5 year-old devices that regularly crash and
prevent timely completion of their tasks. To be able to manage the risk of technological failure in
15
computerised workplaces, funds should be allocated for replacing at least one fifth of the
computers with new ones.
The NAO electronic communications equipment is a set of hardware and software consisting of
wired and wireless computer network elements and applications for ensuring the interoperability
of the elements. The communications equipment diagram is given in Annex 2.
The National Audit Office uses a territorially distributed 100MB/GB Ethernet/TCP-IP type network
whose Vilnius, Kaunas, Klaipėda, and Panevėžys segments are connected into a common scheme
using the secure public data network service provided by the state enterprise Infostruktūra. The
territorial computer network of the Training Centre of the National Audit Office located in Giruliai
uses the access service to the public network provided by TEO. Computerised workplaces are
connected to the NAO computer network by Category 5 Ethernet cabling, using HP’s third
generation network switches. If necessary, non-professional wireless network equipment is used
for connecting the portable computers, tablets and smart phones of the NAO staff and visitors to
the network.
The wired segments and network connections of the computer network in the old building of the
National Audit Office are worn out, their replacement costs would be very high. An alternative
considered is to install a wireless computer network at the National Audit Office. When working at
auditees, auditors use their portable computers to connect to the NAO computer network using
the infrastructure of the auditee, which means that there is a risk of breaching the network
security requirements of the auditee entity or those of the National Audit Office. Another option
could be to purchase the service of mobile Internet connection or virtual private networks for all
or part of auditors (audit team leaders).
People
There were 401.5 positions at the NAO, including 6 ones at the Information Technology (IT)
Division of the General Affairs Department based on the data for the first half of 2014. The
positions at the IT Division include the head and five chief specialists: system administrator,
hardware administrator, two system designers, and a specialist performing various assignments
(such as public procurement, documentation, technical assistance, staff consulting) delegated to
the division. In addition to their main functions, all employees of the IT Division provide
consultations to the NAO staff on information technology issues and, within their competence,
participate in the NAO committees, commissions, and working groups.
The IT Division staff has been working at the National Audit Office from 5 to 20 years, therefore
specialists are very familiar with the main institution’s activities, information systems and
technology development. They have completed the basic courses on the use of software and
hardware related to their daily activities and have relevant certificates; however, the rapid
development of information technology and scarce allocation of money for the training increases
the risk that the IT staff’s skills will lag behind the average of specialists in this field on the market,
which may negatively affect all information technology-related business processes of the National
16
Audit Office. In order to maintain the current qualification and to gain new necessary skills,
specialised training in the field of IT should be provided for, seeking EU funding for this purpose.
2.2.3. Information technology governance maturity
Legislative requirements, although continually improved, are designed to ensure only minimal
information technology governance maturity. In order to achieve higher maturity levels, analysis
of the best IT governance practices is required, selecting only the parts that can be tailored to the
needs of the National Audit Office in the most efficient (fastest and least expensive) way.
To be able to reach a higher IT governance maturity level, the National Audit Office goes beyond
the compliance to the requirements of the law only, and uses the best practices recommended by
COBIT and their analysis and application methods.
Assessment of the IT management and control system is carried out using the Capability Maturity
Model described in COBIT 4.110 and following the self-assessment methodology prepared by the
project “Information Technology Self-Assessment in Supreme Audit Institutions” managed by the
EUROSAI IT Working Group.11
The maturity assessment carried out in 2006 indicated the average maturity of COBIT 4.1
processes12 selected for the assessment 1.21. A review of the said processes carried out in 2014,
and considering the maturity improvement measures taken over the period 2007-2014, showed
better results13 (1.50).
3. SWOT analysis
The NAO IT governance strengths and weaknesses, opportunities and threats were identified
taking into account results of the analysis given in Chapter 3 of this document. The IT governance
risks are provided in the NAO Risk Management Report 2013.
Strengths
- Skilled IT staff with many years of experience in the NAO information systems;
- Modern data processing and storage equipment – the main servers and data warehouses
were purchased two years ago;
- Secure and fast computer network based on optical communications technology and cyber
security service provided by the state enterprise Infostruktūra, which ensures modern
10 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p. 17-21 and
175. 11
More about the project: http://www.eurosai-it.org/documents/activities/flyer_it.pdf 12
The processes assessed in 2006: PO1, PO2, PO8, PO10, AI1, AI4, AI5, DS1, DS4, DS11, ME1. 13
COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p. 10.
17
communications with the NAO units situated in other towns as well as with other
institutions;
- Worldwide IT technologies are used in the NAO servers and data warehouses, such as
Microsoft Server, Microsoft SQL Server, Hyper-V Virtualisation;
- Quick communication – the Intranet and Internet sites of the NAO were developed and
have been maintained and continually updated by the NAO staff, there is a possibility of
video conference with the NAO units situated in other towns as well as with other
institutions;
- Modern audit data, document and audit process management systems - ViPSIS are flexibly
integrated with other subsystems.
Weaknesses
- Failure to develop IT planning documents in a systematic and comprehensive manner;
- Lack of methodical and practical experience in IT project management;
- Outdated hardware and software in workplaces;
- Obsolete internal computer network components – cables and connectors;
- Insufficient regulation of the services – type and quality of services and feedback –
provided by the IT staff to other NAO employees;
- Lack of communication between the IT staff with the employees of the NAO structural
units when addressing information technology problems;
- IT staff professional development is lagging behind the rapid technological change, there is
a lack of training;
- The computer literacy of the NAO staff should be improved.
Opportunities
- Wireless internal computer networks;
- Improving computer equipment at relatively decreasing costs;
- Cloud computing – the number of companies providing these services is going up, and their
prices are going down;
- Rental software solution with upgrades is used for the main servers and computerised
workplaces of the National Audit Office, which enables upgrading the software more often
and thus spending less working time for public procurement as well as simplifying the
budget planning for the procurement;
18
- Mobile encrypted Internet connection, which provides the NAO staff secure access to the
computer network of the institution from other workplaces (at auditees, on business trips,
at home);
- Decreasing software costs ensure secure access to the NAO computer network in case
employees brings their own device (BYOD procedure);
- IT staff training;
- Access to funds of the financial perspective 2014 to 2020.
Threats
- The growing number of cyber threats all over the world increases the risk of damage to the
NAO information systems – unauthorised access to, alteration and destruction of
important and/or sensitive data;
- The risk of insufficient IT financing of budgetary institutions, depending on and related to
the economic situation of the state;
- Frequent amendments of the legal requirements for government bodies, organisations and
agencies, delayed drafting of legislation;
- Brain drain of skilled IT staff;
- Potential significant enlargement of the functions of the National Audit Office that will
have an impact on IT.
19
4. IT STRATEGIC GOALS AND INDICATORS
In determining the IT strategic goals, the Working Group used the analysis carried out in Chapters
2 and 3 of the IT strategy and standardised links between the institution's performance goals and
information technology goals described in well-known ISACA methodologies and
recommendations.
The NAO strategic goals for information technology in terms of balanced scorecard (BSC)14:
Respective indicators were used to assess the level of achievement of NAO IT strategic goals. The
current values of these indicators are given in Annex 3.
1. SUSTAINABLE DEVELOPMENT OF INFORMATION TECHNOLOGY
This strategic goal requires maximum involvement of the management of the institution, all
process managers, and IT staff, as well as coordination of actions. The goal focuses on long-term IT
development and projects with strategic or economic importance for the NAO performance (e.g.
installation of new IT systems or improvement of the existing ones, cloud technologies, computer
equipment rental services). To achieve this goal, we will seek innovative solutions and investment
based on the best cost-benefit ratio for the institution.
Indicators
All IT strategic goals of the National Audit Office are aligned with the NAO business goals laid down in
the Public Audit Strategy.
Every year the IT performance of the National Audit Office is discussed in at least four meetings of the
Information Technology Management Committee.
14 A detailed description of the method for setting NAO IT strategic goals using COBIT goals cascade is given in Annex
4.
20
The average amount of funds allocated for IT resources during the last three years15 shall not exceed 4
per cent of the NAO budget.
2. IT SERVICES THAT SATISFY CUSTOMER NEEDS
We will prioritise the IT services provided to the customers and see to it that they are provided on
time and in good quality. We will continually assess the quality of our IT services and seek to
ensure that they meet the needs of IT users. We will introduce the IT services that are relevant to
and needed by the customers, taking into account the developments in information technology
and the needs of IT users.
Indicators
95 per cent of the services are provided under fixed service level agreements (SLA, OLA).
80 per cent of the computer equipment is not older than five years.
Customer evaluation of the IT services is scored 7 (out of 10).
3. IT GOVERNANCE IN LINE WITH BEST PRACTICES
We will ensure that IT services are provided continuously and that potential interruptions are
insignificant to the NAO performance. We will ensure the confidentiality and security of electronic
information in accordance with relevant legislation, ISO 27000 requirements, and best practices
recommended by COBIT and other methodologies. In improving the IT governance and IT service
management, we will follow ISO 38500 and ISO 20000 requirements and the models and best
practices recommended in the Open Group Architecture Framework (TOGAF), COBIT, and
Information Technology Infrastructure Library (ITIL).
Indicators
The implementation of the strategy will result in the achievement of maturity level 3 (according to COBIT
CMM model) in five main (out of 11) selected processes and maturity level 2 in other six main (out of 11)
selected processes.
The annual accessibility of the information system should be at least 90 per cent during business hours on
weekdays (for third category information systems).
4. HIGH DEGREE OF EMPLOYEE EXPERTISE IN IT
With the rapid development of information technology, it is very important to ensure that the IT
staff knowledge and competence is sufficient to ensure the efficient management of the NAO
information technology and services, their innovation and optimisation. Therefore, adequate
resources should be allocated for specialised IT training of the IT staff. An equally important factor
15 IT staff salaries, expenses for purchasing IT services and assets.
21
is training IT skills and computer literacy if IT users. The NAO staff should be continually introduced
to IT innovation.
Indicators
Continual improvement of the IT staff qualification, with 10 academic hours of specialised training in IT
per employee per year on average.
Continual improvement of the NAO staff qualification, with 3 academic hours of training in IT user skills
or computer literacy per employee per year on average.
Continual improvement of the qualification of the NAO staff whose activities are related to the
management of IT processes and IT resources at the National Audit Office, with 4 academic hours of
specialised training in IT per employee per year on average.
22
5. IMPLEMENTATION, MONITORING AND ASSESSMENT
The IT Strategy is implemented by developing and executing annual IT Strategy implementation
action plans, which establish activities for reaching desired goals, and achieving expected results,
performance measures, deadlines, and responsibilities.
Annual IT Strategy implementation action plans are developed by the IT Division and submitted to
the IT Management Committee for consideration. If approved, the plans are adopted by order of
the Auditor General.
The IT Strategy implementation is monitored using ViPIS, and the implementation of the action
plan is discussed in IT Management Committee meetings at least twice a year.
The IT Division prepares annual report on the implementation of the IT Strategy implementation
action plan, which is submitted to the IT Management Committee at the end of the year (usually
the report is presented together with the plan for the next year).
The maturity assessment of eleven the most important COBIT 4.1 processes selected using the
method described in Annex 4, namely, PO1, PO2, PO8, PO10, AI1, AI4, AI5 DS1, DS4, DS11, ME1 (if
needed, other processes are assessed as well), is carried out three times until 2020. The list of the
implementation measures may be revised after the assessment.
The maturity of the important COBIT processes, PO1, PO2, P08, PO10, AI1, AI4, AI5 DS1, DS4,
DS11, ME1, to be achieved by 2020 should be as follows:
the maturity score for 5 processes (out of 11) is 3
the maturity score for 6 processes (out of 11) is 2.
Auditor General Giedrė Švedienė
_________________________________________
The Information Technology Strategy of the National Audit Office 2015–2020 was prepared by Deputy
Auditor General Arūnas Keraminas, Director of the Information Systems and Infrastructure Audit
Department Dainius Jakimavičius, Director of the Audit Development Department Mindaugas Macijauskas,
Director of the General Affairs Department Žydra Bartkevičienė and Deputy Director Selvina Buragaitė,
Head of the Information Technology Division Arturas Sadauskas and Chief Specialist Genovaitė Gasiūnienė.
23
ANNEXES
Information Technology Strategy of the National Audit Office 2015–2020 Annex 1
Structural scheme of information systems of NAOL
Information Technology Strategy of the National Audit Office 2015–2020 Annex 2
Scheme of computer network of NAOL
Information Technology Strategy of the National Audit Office 2015–2020 Annex 3
Current values of the IT strategic goals implementation indicators
Goals and indicators Current value/explanation of the
indicator
Assessment Notes First
assessment Assessment frequency
1. Sustainable development of information technology
1.1. All IT strategic goals of the National Audit Office are aligned with the business goals set out in the Public Audit Strategy.
The indicator has not been assessed.
2014 Assessment is carried out in the case of the alteration of the strategic goals of public audit.
Link with Indicator 1.2: IT strategic goals are reviewed at the Information Technology Management Committee. In case the strategic goals of public audit have been altered, new IT strategic goals have to be set within 3 months.
1.2. Every year the NAO IT performance is discussed in at least four Information Technology Management Committee meetings.
Pursuant to the Regulations of the Information Technology Management Committee, the assessment of the IT performance is supposed to be carried out at least twice a year. Over the period 2012–2014, the NAO IT performance was discussed 3–5 times a year.
2015 Assessment is carried out four times a year.
The assessment of the indicator is related to the activity of the Committee and monitoring of the implementation of the IT strategic goals. Link with Indicator 1.1: The monitoring function carried out by the Information Technology Management Committee ensures the alignment of the strategic goals of public audit and IT strategic goals.
26
1.3. The average amount of funds allocated for IT resources during the last three years should not exceed 4 per cent of the NAO budget.
The indicator has not been assessed. The average amount of funds allocated for IT resources over the period 2011–2013 totalled 3.8 per cent of the NAO budget. (the average amount of funds allocated for IT resources over three years was LTL 935,145 [EUR 270,837])
2014 Every year IT resources include IT staff salaries, expenses for purchasing IT services and assets, excluding the costs of training. Link with Indicator 2.2.
2. IT services that satisfy customer needs
2.1. 95 per cent of the services are provided under fixed service level agreements (SLA, OLA).
The indicator has not been assessed.
1st quarter 2015
Every year Following the IT infrastructure management principles (ITIL) which are based on best management practices and oriented towards work optimisation and quality assurance in the field of IT, IT Process Management Rules will be developed and approved at the National Audit Office in order to regulate the IT process management, the scope and techniques of the provision of IT services to the NAO structural units, and cooperation between the IT Division of the General Affairs Department of the NAO and the structural units of the NAO in the field of IT. The Rules will include the following
27
components of the IT process: incident and request management; problem management; configuration management; service level management; change management. The Rules will define the services to be provided by the IT Division, so it will be possible to assess this indicator and Indicator 2.3.
2.2. 80 per cent of the computer equipment is not older than five years.
In 2014, 70 per cent of the computer equipment used in the NAO was older than five years.
2 January 2015
Every year The indicator is measured by estimating the time of the use of the portable and desktop computers in all computerised workplaces of the National Audit Office. The assessment is carried out annually, when planning next year’s procurement.
2.3. Customer evaluation of the IT services is scored 7 (out of 10).
The indicator has not been assessed.
2nd quarter 2015
Every year The indicator will be measured by conducting user surveys provided for in the IT Process Management Rules (see the explanation of Indicator 2.1 above).
3. IT governance in line with best practices
3.1. The implementation of the IT Strategy will result in the achievement of maturity level 3 according to (COBIT CMM) in five main (out of 11) selected processes and maturity level 2 in other six
The indicator was assessed over 2003–2006. The scores given to the selected processes in 2006 were as follows:
the maturity score for 1 process (out of 9) was 3
2003 Until 2020, maturity assessment will be carried out three times, every two years
Link with Indicator 1.2: The interim results of the process maturity assessment are discussed at the Information Technology Management Committee and used for revising the measures provided
28
main (out of 11) selected processes.
the maturity score for 2 processes (out of 9) was 2
the maturity score for 6 processes (out of 9) was 1
on average.
in the IT Strategy implementation action plan, including an external process maturity assessment to be conducted in March 2015 together with experts from the Swiss Federal Audit Office.
3.2. The annual accessibility of the information system should be at least 90 per cent during business hours on weekdays (for third category information systems).
The indicator has not been assessed.
4 January 2016
Every year The electronic logbook of requests, incidents and problems filled in at the Information Technology Division of the General Affairs Department will allow identifying the downtime of the NAO information system. The condition of the information system is regarded as inaccessible when user(s) of the information system is not able to use at least one of the structural parts of the information system specified in Annex 1 due to technological reasons which do not depend on the computerised workplace.
4. High degree of employee expertise in IT
4.1. Continual improvement of the IT staff qualification, with 10 academic hours of specialised training in IT per employee per year on average.
The number of academic hours of specialised training in IT per one employee of the IT Division over 2011–2013 was 7 hours.
2014 Every year Specialised training in the IT field for the IT staff.
4.2. Continual improvement of the NAO staff qualification, with 3
The number of academic hours of training in IT user skills or
2014 Every year All staff of the National Audit Office.
29
academic hours of training in IT user skills or computer literacy per employee per year on average.
computer literacy per one employee of the IT Division over 2012–2014 was 1 hour.
4.3. Continual improvement of the qualification of the NAO staff whose activities are related to the management of IT processes and IT resources at the National Audit Office, with 4 academic hours of specialised training in IT per employee per year on average.
The indicator has not been assessed.
2016 Every year Link with Indicator 1.2: Specialised training is intended for IT resource managers, IT Management Committee members, and other employees whose functions are related to the management of IT processes and IT resources at the National Audit Office.
Information Technology Strategy of the National Audit Office 2015–2020 Annex 4
Method for setting strategic goals for the information technology of the National Audit Office
This annex contains information on how strategic goals are set for the information technology of
the National Audit Office, when the key business goals are in place.
The links between the NAO business goals, IT goals and COBIT processes were established and
specified on the basis of the ISACA research of public sector business goals and information
technology goals16, links between business goals and information technology goals provided in
COBIT 4.117, links between business processes and COBIT processes identified during the project
“Information Technology Self-Assessment in Supreme Audit Institutions” implemented by the
EUROSAI IT Working Group18, and links between business processes and COBIT processes
identified by the National Audit Office during IT audits in Lithuanian public sector institutions and
offices.
Establishing links between business and IT goals involves not only the standard goals cascade used
in COBIT 5 (17 standard business goals of the enterprise are linked to 17 standard IT-related goals),
but also more accurate links received during public sector research19. More accurate methods
than those used in the COBIT 5 goals cascade allow determining which IT goals are more important
– this is achieved by measuring the strength of links between business and respective IT goals.
1. Setting standard goals for the NAO IT in line with standard business goals
The following strategic objectives are set out in the Public Audit Strategy:
Improvement of public audit process
Dissemination of public audit results
Development of communication and cooperation
Quality improvement of public audits Optimisation of NAO business processes
Enhancement of professional expertise
Development of international cooperation
16 Understanding How Business Goals Drive IT Goals. Executive Briefing, © 2008 ISACA, ITGI
17 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p. 169.
18 More about the project: http://www.eurosai-it.org/documents/activities/flyer_it.pdf
19 Understanding How Business Goals Drive IT Goals. Executive Briefing, © 2008 ISACA, ITGI
31
The most important standard NAO IT goals in line with the performance objectives specified in the
Public Audit Strategy and defined in four BSC (balanced scorecard) perspectives are obtained by
expressing the strategic objectives (business goals) provided in the Public Audit Strategy in terms
of the public sector business goals and information technology goals 20:
BSC perspectives The most important NAO IT goals (in brackets – standard COBIT 5
IT goal) Importance
Financial perspective
1. Align the IT strategy with the business strategy (01) 24
5. Drive commitment and support of executive management (03) 12
6. Improve the IT’s cost-efficiency (05) 10
Customer perspective
2. Provide service offerings and service levels in line with business requirements (07)
21
Internal business processes
perspective 3. Make sure that IT services are reliable and secure (10) 13
Learning and growth perspective
4. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation (17)
13
7. Acquire, develop and maintain IT skills that respond to the IT strategy
10
Table 1. The most important standard NAO IT goals in line with the NAO performance objectives set out in the Public Audit Strategy
The column “Importance” shows how strongly the information technology goals are linked to the
key strategic objectives (business goals) of the National Audit Office identified in the Public Audit
Strategy.
2. Link between the NAO strategic objectives and standard IT goals
The correspondence of the four NAO IT goals to the standard IT goals (described in COBIT 5) is as
follows:
SUSTAINABLE DEVELOPMENT OF INFORMATION TECHNOLOGY:
- Align the IT strategy with the business strategy (01)
- Drive commitment and support of executive management (03)
- Improve the IT’s cost-efficiency (05)
IT SERVICES THAT SATISFY CUSTOMER NEEDS:
- Provide service offerings and set service levels in line with business requirements (07)
IT SERVICES IN LINE WITH BEST PRACTICES
- Make sure that IT services are reliable and secure (10)
20 Understanding How Business Goals Drive IT Goals. Executive Briefing, © 2008 ISACA, ITGI
32
HIGH DEGREE OF EXPERTISE IN IT
- Acquire knowledge and expertise in emerging technologies for business innovation and
optimisation (17)
- Acquire, develop and maintain IT skills that respond to the IT strategy (COBIT 4.1 (09) IT
goal – although this IT goal is not present in COBIT 5, it is taken into account when
identifying related IT processes)
3. Identification and maturity of COBIT 4.1 processes related to standard NAO IT goals (or strategic IT goals)
Using standard COBIT 5 goals cascade, identified IT goals are linked to COBIT 5 processes, followed
by the selection of the key COBIT 5 processes which are rated above 15 (primary link “P” between
IT goals and COBIT 5 processes is scored 5, secondary link “S” is scored 2). As a result, seven COBIT
5 processes are identified:
COBIT 5 process EDM01 EDM02 APO01 APO02 APO07 APO08 BAI02
Rating 19 (22) 17 (24.5) 16 (18.5) 17 (21.5) 16 (18.5) 17 (21.5) 16 (19)
Here, the first rating value indicates the strength of a link between the relevant COBIT 5 process
and five most important (their importance ranges from 12 to 24 in Table 1) IT goals and the second
one (in brackets) shows the strength of a link with all seven IT goals, i.e. two least important (in
Table 1, their importance is scored 10) goals are additionally taken into account.
Similarly, using the table on relation of IT goals to COBIT 4.1 processes 21, COBIT 4.1 processes are
obtained where the strength of links with the identified IT goals score above 7:
COBIT 4.1 process PO1 PO4 PO10 DS1 ME1 PO7 AI5
Rating 10 10 10 10 10 7.5 7.5
Table 2. The key COBIT 4.1 processes the maturity of which should be improved to achieve the NAO IT strategic goals
Mapping matrices are used to determine links between COBIT 5 and COBIT 4.1 processes, taking
into account the control objectives and/or governance/management practice. The following
processes are added to these COBIT 4.1 processes (as above):
(1) key public sector COBIT 4.1 processes identified during IT audits since 2006;
(2) key COBIT 4.1 processes of the National Audit Office, identified by NAO IT auditors;
21 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, Appendix I –
tables linking goals and processes, p. 169-170
33
(3) key COBIT 4.1 processes at the National Audit Office identified during IT self-assessment in
2006 (Method I);
(4) key COBIT 4.1 processes at the National Audit Office identified during IT self- assessment in
2006 (Method II).
COBIT 4.1 processes
(processes given in Table 2) PO1 PO4 PO7 PO10 AI5 DS1 ME1
(1) PO1 PO2 PO10 DS1 DS4 DS11 ME1
(2) PO1 PO10 DS1 DS4 ME1
(3) PO1 PO2 PO8 AI1 AI5 AI8 DS4 DS5 DS8
(4) PO1 PO3 AI1 AI2 AI4 DS1 DS7 DS11 DS13
Table 3. The key COBIT 4.1 processes identified under circumstances (1)–(4) above
Considering the reiteration of the relevant processes in the table, the following values are
obtained in Table 4 below (the red colour shows the key COBIT processes, meanwhile the less
important processes are given in blue; the number of reiterations contained both in Table 2 and
Table 3 is also provided: PO1 is repeated 5 times, PO2 – 2 times, etc.).
PO1 PO10 DS1 DS4 ME1 PO2 PO7 PO8 AI1 AI5 DS11
5 3 4 3 3 2 2 2 2 2 2
Table 4. The key COBIT 4.1 processes identified under the circumstances given (and reiterated) in Table 3
Considering the processes evaluated at IT self-assessment seminar in 2006 and their maturity
grades:
PO2 PO7 PO8 AI1 AI4 AI5 DS1 DS4 DS5 DS7 DS8 DS11 ME1
1.1 - 0.1 2.0 0.8 1.7 0.2 1.0 1.9 1.4 1.8 1.0 -
Table 5. Processes evaluated at the self-analysis seminar in 2006 and their maturity grades
an IT process table is drawn up which includes the following:
PO1, PO10, DS1, DS4, ME1 – currently the most important IT processes (marked in red in
Table 4);
PO2, PO8, AI1, AI5, DS11 – processes which are currently of secondary importance (marked
in blue in Table 4), but have insufficient maturity according to 2006 evaluation results (their
maturity in Table 5 < 2.0);
34
AI4 - currently is not important, however, its maturity in 2006 was below 1.0.
The maturity of these 11 processes was assessed using the CMM maturity evaluation model
(the assessment criteria are provided in COBIT 4.1). The evaluation of the selected processes
showed the following maturity in 2006 and 2014:
COBIT 4.1
processes PO1 PO2 PO8 PO10 AI1 AI4 AI5 DS1 DS4 DS11 ME1
Maturity in 2006 3.00 1.10 0.10 - 2.00 0.80 1.70 0.20 1.00 1.00 -
Maturity in 2014 2.13 1.85 1.13 1.24 1.32 1.35 1.39 0.08 2.61 1.54 1.91
Table 6. The NAO processes assessed in 2006 and 2014 and their maturity (higher maturity in this assessment is
marked in red, lower maturity – in blue; the value in black means that the maturity cannot be compared):
The most important COBIT processes that are in line with the NAO IT goals and where IT
governance maturity is to be raised are as follows:
COBIT 4.1
processes PO1 PO2 PO8 PO10 AI1 AI4 AI5 DS1 DS4 DS11 ME1
Maturity in 2014 2.13 1.85 1.13 1.24 1.32 1.35 1.39 0.08 2.61 1.54 1.91
Table 7. The relevant NAO control processes and their maturity (maturity in red means that it is lower than in 2006,
the blue colour denotes maturity higher than in 2006, meanwhile the value in black means that the process was not
assessed in 2006)
These processes will have to be monitored and evaluated in order to raise the maturity level of 5
processes (out of 11) to 3.0 and of 6 processes (out of 11) to 2.0.
4. Additional information – standard goals used in COBIT 5 and their assessment criteria
Standard enterprise goals used in COBIT 5 and their sample metrics are provided in COBIT 5:
Enabling Processes, Figure 6.
Standard IT goals used in COBIT 5 and their sample metrics are provided in COBIT 5: Enabling
Processes, Figure 7, and in the descriptions of each of the 37 COBIT 5 processes related to these IT
goals.
Standard process goals used in COBIT 5 and their sample metrics are provided in COBIT 5: Enabling
Processes, in the descriptions of each of the 37 processes.
The IT goals and COBIT processes sample metrics can be used in the preparation of annual IT
Strategy implementation actions plans and development of criteria for assessing the
implementation of the measures provided for in these plans.