Laminate

http://www.enterprisegrc.
com
CobiT™
Overview
Training
Materials used to train for the CobiT Foundation ™ are only available
through our accredited ITPreneurs partner purchase program, which is
licensed for Distribution as an ISACA® certification course. This
presentation is heavily adapted by EnterpriseGRC Solutions,
representing summary of main points and is not available for sale or
distribution. Individuals or Organizations may contact us to purchase the
entire set of materials. For additional information please visit
http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan
Woertman (arjan.woertman@itpreneurs.com)
EnterpriseGRC Solutions, Inc. is a certified ITPreneurs Partner

and ISACA Training Partner – This course if Presented by:
Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT, CRISC, ACC
Managing Partner EnterpriseGRC Solutions, Inc.
President, Association Certified Green Technology Association
http://www.enterprisegrc.com
Governance in Your Context - Introductions

If this were a live or online
interactive training, we would
begin by sharing your unique:
 involvement and need for
Governance
 issues you hope to resolve
through best practice in
Governance Risk and
Compliance
 and providing our best answers
to the question “Why CobiT ©”
Materials used to train for the CobiT Foundation ™ Are only available through our accredited ITPreneurs partner purchase
program, which is licensed for Distribution as an ISACA certification course. This presentation is heavily adapted by
EnterpriseGRC Solutions a summary of main points and is not available for sale or distribution. To purchase the entire set of
materials from ITPreneurs, please visit http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan Woertman
(arjan.woertman@itpreneurs.com)
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 2
Session Agenda
COBIT Foundation Course ™
 Published for distribution by ITPreneurs on behalf of ISACA, materials for
the CobiT course are the product of many years of committee contribution.
Formal training requires purchase of the complete training materials
 This session is an overview to prepare students for the full 8 to 20 hour
course. CobiT Foundation™ is a program of study that results in capacity to
both pass an external examination and to successfully implement CobiT in a
work environment. Live training involves interactive exercises.
 EnterpriseGRC Solutions, Inc. is authorized to provide CobiT training. By the
end of today’s half day, you will have new found appreciation for the value
in extended study and application of the CobiT Framework, as well as other
ITGI authorized courses ranging from introductory to advanced Governance
Topics.
Course Introduction
 COBIT was developed by IT Governance
Institute (ITGI™).
 Our objective today is to achieve a basic
understanding of COBIT and how you might
apply it in practice.
 This training consists of the following sections
 IT Governance and Governance as a

Framework
 Introduction to COBIT: A Control
Framework
 Overview of COBIT Components
 COBIT: Resources
For a current set of CobiT materials, please visit
About ISACA and ITGI
 ISACA - With more than 70,000 members in more than 140 countries, ISACA
(www.isaca.org) is a recognized, worldwide leader in IT governance, control,
security, and assurance. Founded in 1969, ISACA:
 Sponsors international conferences.
 Publishes the Information Systems Control journal.
 Develops international information systems auditing and control standards.
 Administers the globally respected Certified Information Systems Auditor
(CISA) and Certified Information Security Manager (CISM) designations.
 ITGI - The IT Governance Institute (ITGI) (www.itgi.org) was established by
ISACA in 1998 to advance international thinking and standards in directing
and controlling an enterprise's information technology. ITGI:
 Developed COBIT, now in its fifth edition.
 Offers original research and case studies to assist enterprise leaders and
boards of directors in their IT governance responsibilities.
Topics of This Session
Main points in our session will cover
 IT management issues affect organizations.
 Principles of IT governance
 Need for a control framework driven by the need for IT

governance.
 How COBIT meets requirements for IT governance framework.
 How COBIT is used with other standards and best practices.
 The COBIT framework and all the components of COBIT —

control objectives, control practices, management guidelines,
and assurance guide.
 How to apply COBIT in a practical situation.
 The benefits of using COBIT.
 The products and support that ITGI provides.

The COBIT Framework
COBIT’s main characteristics are:
Business- Process- Measurement-

Controls-based
focused oriented driven
The acronym COBIT stands for Control Objectives for Information

and related Technology.
COBIT Framework Characteristics

COBIT: An IT Control Framework
For latest updates on COBIT, log on to
Evolution
Process and Application Controls, ValIT, RiskIT Framework
Governance
Management
Control
Audit
COBIT 1 COBIT 2 COBIT 3 COBIT 4 COBIT 5
1996 1998 2000 2005 2010

The COBIT Cube: IT Processes
COBIT describes the IT life cycle with Processes are series of activities with natural
the help of four domains: control breaks. 34 processes across the
 Plan and Organize four domains, specify what the business
needs to achieve its objectives. The
 Acquire and Implement delivery of information is controlled
 Deliver and Support through 34 high-level control objectives,
one for each process.
 Monitor and Evaluate
Activities are actions that achieve
measurable results, have life cycles and
include many discrete tasks.
Information Criteria
IT Resources
Key Objectives of Foundation Knowledge
 The principles of IT governance.
 Who is responsible for IT governance.
 How IT governance resolves management issues.
 The scope of IT governance.
 The need for a control framework driven by IT
governance.
IT Challenges
 Many organizations invest significant amounts of money and resources in IT.

 They rely on IT to support business operations and meet strategic objectives.
 Increasingly, organizations are faced with the challenge of adapting to dynamic business
demands while handling technology-related risks and complexities.
Keeping IT Running
Value
Costs Organization
IT Resources and Expenses
Mastering Complexity
Aligning IT With Business
Regulatory Compliance
Security
IT Challenges – Keep The Enterprise Running
Keeping IT Running Discontinuity of IT Services
 Typically, the following problems may

arise because of technical failure:
 Critical business processes, such as order
processing, being disrupted
 Administrative personnel unable to handle
diaries, mail, or documents
 Customers unable to contact call centers
 The above problems may result in lost
business, reduced profits, and damage to
the organization’s reputation.
As a result, organizations need to guarantee the continuity of IT services for business-critical services
IT Challenges – Provide Strategic Value
Value
Given the significant investments made

in IT and the strategic importance of IT
projects, organizations need to ensure Business
that IT provides value. In most IT Value
projects that exceed budgetary
expectations or deadlines, the typical
problems are:
 Poorly defined requirements Project
Execution Time
 Systems too complex to implement
 Underestimation of the effort
required
 Poor project management
As a result, organizations need to identify the right IT projects and execute them within time and
budget to deliver the expected value.
IT Challenges Manage Costs
Costs
Typically, the reasons for higher expenditure are:

 The costs associated with IT assets are not
IT Asset
understood. Cost
 Operational budgets are increasing because of
complex licensing, maintenance, and outsourcing
contracts.
IT Expenditure
 There is a shortage of skilled resources. Increasing Expenditure
 Large financial losses are incurred because of
failed projects.
 IT spending by business units and central IT
departments is not coordinated.
As a result, organizations need to manage IT costs as carefully as they do other significant costs of
business. This requires efficient and effective processes and allocation of resources such as people
and technology. In addition, it requires effective vendor relationships.
IT Challenges – Master Complexity
Mastering Complexity
Handling External Relationships
The typical problems arising because

of these complexities are:
 Maintaining technical competence
 Managing diverse technical

infrastructures
 Adapting to rapid changes and new
developments
 Managing external relationships and
service providers
As a result, the IT function should be organized and managed so that organizations are able to handle
complexities and avoid excessive costs.
IT Challenges – Alignment with the Business
Aligning IT With Business
In most organizations, the gap between Business IT

what users expect and what IT can provide
continues to exist because of the following
reasons:
 Poorly defined business requirements
 Inability to set priorities

Strategic Alignment
 Complexity of projects
 Lack of committed business sponsors
 Lack of clear business drivers for solutions
 Communication gaps between business

and IT
As a result, organizations need to ensure that IT partners with the business to deliver value.
IT Challenges – Regulatory Compliance
Regulatory Compliance
Compliance
Regulations that govern business Govern

operations impact IT systems.
The IT function needs to be Business Operations
aware of national and

international legal and regulatory Impact
requirements that relate to, for Regulations

example: Aware
IT Systems
 Corporate governance and financial
reporting
 Privacy and security
Therefore, organizations need to ensure compliance in legal and contractual requirements with
service providers and trading partners.
IT Challenges - Security
Security
Unfortunately, the desire to make information

readily available through the use of technology
carries security risks. These risks have increased Internet
because of several factors:
Cloud
 The use of the Internet and networking, which
exposes internal systems to the world.
 Viruses and hackers.
 The increasing misuse of information. Firewall
 The technical complexities of IT environments

and the associated problems of security.
Poor awareness of security issues in computer
users.
As a result, organizations need to ensure adequate security in their IT environment. This

entails increasing the awareness of management and users regarding their responsibilities
and possible risks.
What Is Enterprise Governance?
Enterprise governance is a set
of responsibilities and practices
exercised by the board and
executive management with
the goals of:
 Providing strategic direction.
 Ensuring that objectives are

achieved.
 Establishing that risks are
managed appropriately.
 Verifying that the enterprise’s
Governance Is About Balance
Governance is about Performance
and Conformance
Performance Conformance
 Governance requires a balance
between the conformance and
performance goals, as directed by Improving Adhering to
the board. profitability, legislation,
efficiency, internal policies,
 IT governance is part of enterprise effectiveness, and audit
and growth requirements
governance. It is defined as a
structure of relationships and
processes to direct and control the
enterprise toward achieving its
goals by adding value while
balancing risk versus return over IT
and its processes.
Principles of IT Governance
The board of directors and executive management are
responsible for IT governance, which involves structures
and processes that direct the organization toward achieving
its objectives.
Direct and Control
Responsibility
Accountability
Activities
Principles of IT Governance – Direct and Control
Direct and Control
Direct: The management provides direction Control: Control ensures that the objective
to implement a change. To provide effective is achieved and no undesired incidents
direction, the management needs to occur.
understand the intended change. In
addition, the management directs another
person to bring about the change.
Direct Control
Sets
Compares
Direction
Board
Sets Objectives
Reports
and Measures Measures
Performs
Reports
Activities
Measures
IT Organization
Principles of IT Governance – Direct and Control
Direct and Control can be related to the functioning of a thermostat. A thermostat
regulates room temperature without producing any heating or cooling effect itself. It only
compares the room temperature with its own set point and switches on or off the heater
or cooler.
72
Directs
Cooler
Controls
Heater 70
65
75
60 80
Thermostat
The thermostat directs the heating/cooling system based on the temperature setting.
The heating/cooling system controls the room temperature by providing the right
amount of additional heating or cooling, based on instructions from the thermostat.
Principles of IT Governance - Responsibility
Responsibility
The CEO is ultimately responsible for overall internal control. Senior managers assign responsibility for
the establishment of specific internal control policies and procedures to the personnel performing a
unit's functions. Internal control is the responsibility of everyone in an organization and should be an
explicit or implicit part of job descriptions.
Direct Control
Sets
Compares
Direction
Board
Sets Objectives
Reports
Performs
Reports
Activities
Measures
IT Organization
Principles of IT Governance - Accountability
Accountability
Accountability is related to responsibility but specifically focuses on having the authority to make
decisions and give approval. For the final outcome of a set of activities, the responsibility cannot be
passed to anyone else. For example, responsibility for the process of defining the IT strategy will be
shared by several people, each responsible for certain tasks and activities. Ultimately, it may be the CEO
who decides on key issues and approves the final version. He is then accountable for the IT strategy.
Direct Accountable Control
Sets
Compares
Direction
Board
Sets Objectives
Reports
Performs
Reports
Activities
Measures
IT Organization
Principles of IT Governance – Activities - Actions
IT Function in an Organization
Activities
IT activities are effective when

there is good IT governance.
Typically, IT departments must
align with the organization’s
business needs. This alignment
is a much better performance
indicator than any technical
parameter.
IT is not about technological excellence;

it’s about meeting service requirements.
IT Governance Stakeholders - Internal
Internal Stakeholders and Their Concerns
Board, Executive, and Business
IT Manager Manager
How do we deliver IT
services, as required by the How do we define business direction
Internal for IT, deliver value, and manage
business and directed by the
Stakeholders risks?
board?
Risk and Compliance IT Auditor

Manager How do we provide
How do we ensure that independent assurance
policies, regulations, and laws of IT value delivery and
are complied with and new risk mitigation?
risks identified?
Organization
IT Governance Stakeholders - External
External Stakeholders and Their Concerns
External Auditor
Customers
I need to know whether or
I need you to keep my banking
not the automated banking External details secure on your
reconciliation system works in Stakeholders
order to clear the audit. computer system.
Regulators Suppliers
How can we be assured Do we have assurance
that the organization has that confidential
a business continuity information about our
plan? If it does not, company is not sent to
regulators may retract our competitors?
Organization
the banking license.
IT Governance: Focus Areas
Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Measurement
IT Governance: Strategic Alignment
Strategic Alignment
 Focuses on ensuring the linkage of business and IT plans; on defining,

maintaining, and validating the IT value proposition; and on aligning
IT operations with enterprise operations.
 Ensures that an enterprise‘s investment in IT is in harmony with the
enterprise’s strategic objectives.
Aligning IT with Business
IT Governance: Value Delivery
Value Delivery
Is about executing the value proposition

throughout the delivery cycle, ensuring that IT
delivers the promised benefits against the
strategy, concentrating on optimizing costs, and
proving the intrinsic value of IT.
Business Value
Return on Investment (ROI) http://www.enterprisegrc.com
IT Governance: Risk Management
Risk Management
Requires: Risks can be managed by:

 Risk awareness by senior corporate  Risk mitigation
officers  Risk transfer
 A clear understanding of the  Risk acceptance
enterprise’s appetite for risk  Risk avoidance
 An understanding of compliance
requirements
Risk Management
 Transparency about significant risks to
the enterprise
 Embedding of risk management
responsibilities into the organization
IT Governance: Resource Management
Resource Management
IT Governance Helps Optimize Costs and Resources

Is about the optimal
investment in and the
proper management of
critical IT resources, $
such as:
 Applications
 Information
 Infrastructure
 People
A look-ahead strategy will help manage for

the present and develop and build
competencies and capacity for the future.
IT Governance: Performance Management
Performance Measurement
 Tracks and monitors strategy implementation, project completion,

process performance, and service delivery.
 If there is no way to measure and evaluate IT activities, it is not
possible to govern IT and ensure the alignment, value delivery, risk
management, and effective use of resources.
If you cannot
measure it, you
cannot manage it.
Performance Management
Benefits of IT Governance
IT governance offers the

following benefits:
 More reliable services
 More transparency
 Responsiveness of IT to
business
 Confidence of the top IT Governance
management Benefits
 Higher
Need for a Control Framework for IT Governance
Enterprises cannot deliver effectively against Control

business and governance requirements
without adopting and implementing a
governance and control framework for IT to:
 Link to business requirements. Governance
 Make performance against these
requirements transparent.
 Organize IT activities into a generally
accepted process model.
 Identify the major resources to be
leveraged.
 Define the management control objectives
to be considered.
Summary IT Governance
Organizations typically face the following IT challenges that

drive the need for IT governance:
Delivering Aligning IT Ensuring
Keeping IT Managing Mastering Managing
value to with regulatory
running IT costs complexity security
customers business compliance
IT governance is a structure of relationships and processes

that helps direct and control the achievement of enterprise
goals. IT governance is an integral part of enterprise
governance.
Summary IT Governance
Organizations typically face the following IT The focus areas of IT governance are:
challenges that drive the need for IT
 Strategic alignment
governance:
 Value delivery
 Keeping IT running
 Risk management
 Delivering value to customers
 Resource management
 Managing IT costs
 Performance measurement
 Mastering complexity
Governance and control frameworks are
 Aligning IT with business
becoming part of IT management best
 Ensuring regulatory compliance practices and are enablers for establishing IT
 Managing security governance and complying with continually
IT governance is a structure of relationships increasing regulatory requirements.
and processes that helps direct and control
the achievement of enterprise goals. IT
governance is an integral part of enterprise
governance.
Can You Name The Players in this Slide?
Objectives
Identify
• how COBIT supports the characteristics of a control framework.
Understand
• the premise of the COBIT framework.
Explain
• the components and functions of the COBIT framework.
Demonstrate
• the role of COBIT IT processes and the four IT domains.
Apply
• IT resources and information criteria.
Topics for the CobiT Control Framework
Characteristics of a Control
Framework
The COBIT Framework
The COBIT Cube
Introduction to Val IT
What do We Get from A Compliance Framework?
define
execute
Compliance
Resources
Services
measure
Risk
Compliance frameworks are designed to make

companies more successful by reducing operating cost
and risk while optimizing service delivery. If a
framework can’t achieve this, it is the wrong
framework.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-682142
5 Characteristics of a Control Framework
Defines a
Provides Sharper Common
Business Focus Language
Control
Framework Helps Meet
Ensures Process
Regulatory
Orientation
Requirements
Has General
Acceptability
Among
Organizations
Characteristics – Business Focus
Business Focus
 COBIT achieves sharper
business focus by aligning IT Provides Defines a
with business objectives. Sharper Common
Business Language
 The measurement of IT Focus
performance should focus
on IT’s contribution to
enabling and extending the Control
business strategy. Ensures Framework Helps Meet
 COBIT, supported by Process Regulatory
Orientation Requirements
appropriate business-
focused metrics, can ensure
that the primary focus is
value delivery and not Has General
Acceptability
technical excellence as an Among
end in itself. Organizations
Characteristics – Process Orientation
Process Orientation
 When organizations
implement COBIT, their focus is Provides Defines a
more process-oriented. Sharper Common
Business Language
 Incidents and problems no Focus
longer divert attention from
processes.
Control
 Exceptions can be clearly
Ensures Framework Helps Meet
defined as part of standard Process Regulatory
processes. Orientation Requirements
 With process ownership

defined, assigned, and
Has General
accepted, the organization is Acceptability
better able to maintain control Among
through periods of rapid Organizations
change or organizational
Characteristics – General Acceptability
General Acceptability
 COBIT is a proven and
Provides Defines a
globally accepted Sharper Common
standard for increasing Business Language
Focus
the contribution of IT to
organizational success.
 The framework Control
continues to improve Ensures Framework Helps Meet
Process Regulatory
and develop to keep Orientation Requirements
pace with best practices.
 IT professionals from all
Has General
over the world Acceptability
Among
contribute their ideas Organizations
and time to regular
review meetings.
Characteristics – Regulatory Requirements
Regulatory Requirements
 Recent corporate scandals
have increased regulatory Provides Defines a
pressures on boards of Sharper Common
directors to report their status Business Language
Focus
and ensure that internal
controls are appropriate. This
covers IT controls as well. Control
 Organizations constantly need Ensures Framework Helps Meet
to improve IT performance Process Regulatory
and demonstrate adequate
controls over their IT
activities.
Has General
 Many IT managers, advisors, Acceptability
and auditors are turning to Among
COBIT as the de facto Organizations
response to regulatory IT
requirements
Characteristics – Common Language
Common Language
 A framework helps get
Provides Defines a
everybody on the same Sharper Common
page by defining critical Business Language
terms and providing a Focus
glossary.
 Coordination within and Control
across project teams and Ensures Framework Helps Meet
organizations can play a Process Regulatory
key role in the success of
any project.
 A common language
Has General
builds confidence and Acceptability
trust. Among
Organizations
What are Compliance Components? (Object Model)
Company Name
Department
Accounting Oversight Board
Highest level Process Profile owner Audits Department Owner
Audit owner
Ownership Accounting
Domain/Process Oversight Board
Champions Sponsor: Department
Assign Control Management
object owners Domains
There are four domains,
Four records, 1 of
possible 4
to all objects
Management Functions
Parent Process
Item inherits its Domain Business has unlimited
High level Mangement
Control Objectives Functions, but are typically Architecture
limited to fewer than 10
There are thirty four Process inherits Diagrams,
control objectives. Domain, Control Object Inventories,
1 of 34 associated to Detail Control Systems
all objects KGI, CSF, KPI Items inherit
Domain, Control Object
Detail Control
List is a single object that KGI, CSF, KPI, Parent Process Policy
Item inherits its Domain and
inherits domain and control object evidence
Control object Handbooks,
of process
Component Process Legal Contracts
Critical Success Key Goal Key Performance Item inherits its Domain and Business has unlimited
Factors (CSF) Indicators (KGI) Indicators (KPI) Control object Component Level Processes
Each control obj. Each control obj. Each control obj. evidence SubProcess are typically
Maturity Level
has N number of has N number of has N number of of process fewer than 10
CSF list KGI list KPI list 34 sets of
Audit Five item rows
results Maturity Profile
Work Instruction is
associated to Process
Audit Results:
34 control objects Detail Control Objectives
352+ Detail Objectives Work Instructions
34 maturity rating 34 Sets of 3 to 24 Operation Process Book
supported by Performance detailed objectives defining Control Actual step by step
reports Object Tasks and Proficiencies procedures, Corporate
Process Profiles Communications, Portals
Detailed summary of Training materials
Deficiencies and Risk
Stated Corporate Critical
Success Factors Support
Ongoing Process substantiated
Optimization maturity rating
evidence of process
COBIT Provides a Framework for IT Governance
COBIT helps bridge the gaps among business risks,
COBIT - Bridging Gaps
control needs, and technical issues. It provides
good practices across a domain and a process
framework and presents activities in a manageable
and logical structure. COBIT:
 Starts from business requirements.
 Is process-oriented, organizing IT activities into a
generally accepted process model.
 Identifies the major IT resources to be leveraged.
 Defines the management control objectives to be
considered.
 Incorporates major international standards.
 Has become the de facto framework for overall
control over IT.
IT resources need to be managed by a set of naturally grouped

processes. COBIT provides a framework that achieves this objective.
COBIT: Product for Many Audiences
COBIT – Designed for Management, Auditors, and IT
 The COBIT framework helps not only technical users but also those who are
responsible for the effective use of IT, such as the management or auditors.
The COBIT framework helps these users by ensuring that:
 Their requirements are properly understood and defined.
 Everyone is “on the same page,” using a commonly understood reference model.
Management
Audit
Information
Technology
COBIT: Premise
The COBIT framework is based on the premise that IT needs
to deliver the information that an enterprise requires to
achieve its objectives.
For achieving
i Business Objectives
To Business Processes
Provide Information
IT Resources and Processes
The COBIT framework helps align IT with the business by

focusing on business information requirements and
organizing IT resources. The objective is to facilitate IT
governance — to deliver IT value while managing IT risks.
COBIT Components
An organization depends on reliable and timely data and information. COBIT
components provide a comprehensive framework for delivering value while
managing risk and control over data and information.
Business
which Requirements drive the
responds to investment in
Enterprise
COBIT IT Resources
Information
that are
to deliver IT Processes
used by
As a control and governance framework for IT, COBIT focuses on two key areas:
1. Providing the information required to support business objectives and
requirements
2. Treating information as the result of the combined application of IT-related
resources that need to be managed by IT processes
The COBIT Cube
The COBIT framework describes how IT processes deliver the
information that the business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key

components, each forming a dimension of the COBIT cube.
Business Requirements IT Resources
IT Processes
The COBIT Cube: IT Processes
COBIT describes the IT life cycle with the help of four domains:
1. Plan and Organize
2. Acquire and Implement Domains IT Resources
3. Deliver and Support Processes
4. Monitor and Evaluate Activities
IT Processes
 Processes are series of activities with natural control breaks. There are
34 processes across the four domains. These processes specify what the
business needs to achieve its objectives. The delivery of information is
controlled through 34 high-level control objectives, one for each
process.
 Activities are actions that are required to achieve measurable results.
Moreover, activities have life cycles and include many discrete tasks.
The COBIT Cube: IT Domains
PLAN AND ORGANIZE (PO)
 Objectives:
 Formulating strategy and tactics
 Identifying how IT can best contribute to achieving business objectives
 Planning, communicating, and managing the realization of the strategic vision
 Implementing organizational and technological infrastructure
 Scope:
 Are IT and the business strategically aligned?
 Is the enterprise achieving optimum use of its resources?
 Does everyone in the organization understand the IT objectives?
 Are IT risks understood and being managed?
 Is the quality of IT systems appropriate for business needs?
IT and Business
COBIT Cube Domains – Plan and Organize
Let's look at the COBIT process model, which consists of 34 IT processes defined within the
four IT domains.
Plan and Organize Plan and Organize Acquire and Implement
PO1: Define a strategic IT plan. IT Processes

PO2: Define the information
architecture.
PO3: Determine technological direction.
PO4: Define the IT processes, Deliver and Support Monitor and Evaluate
organization, and relationships.

PO5: Manage the IT investment.
PO6: Communicate management aims
and direction.
PO7: Manage IT human resources.
PO8: Manage quality.
PO9: Assess and manage IT risks.
PO10: Manage projects.
The COBIT Cube: IT Domains (Contd.)
ACQUIRE AND IMPLEMENT (AI)
 Objectives:
 Identifying, developing or acquiring, implementing, and integrating IT
solutions
 Changing and maintaining existing systems
 Scope:
 Are new projects likely to deliver solutions that meet business needs?
 Are new projects likely to be delivered on time and within budget?
 Will the new systems work properly when implemented?
 Will changes be made without upsetting current business operations?
?
New Projects Organization
COBIT Cube Domains – Acquire and Implement
Acquire and Implement Plan and Organize Acquire and Implement
AI1: Identify automated solutions. IT Processes

AI2: Acquire and maintain application
software.
AI3: Acquire and maintain technology
infrastructure. Deliver and Support Monitor and Evaluate
AI4: Enable operation and use.

AI5: Procure IT resources.
AI6: Manage changes.
AI7: Install and accredit solutions and
changes.
COBIT Cube Domains – Deliver and Support
DELIVER AND SUPPORT (DS)
 Objectives:
 The actual delivery of required services, including service delivery
 The management of security, continuity, data, and operational facilities
 Service support for users
 Scope:
 Are IT services being delivered in line with business priorities?
 Are IT costs optimized?
 Is the workforce able to use IT systems productively and safely?
 Are adequate confidentiality, integrity, and availability in place?
IT Services Business Priorities
COBIT Cube Domains Deliver and Support
Deliver and Support
DS1: Define and manage service levels.

Plan and Organize Acquire and Implement
DS2: Manage third-party services.
DS3: Manage performance and capacity. IT Processes
DS4: Ensure continuous service.
DS5: Ensure systems security.
DS6: Identify and allocate costs.
Deliver and Support Monitor and Evaluate
DS7: Educate and train users.
DS8: Manage the service desk and incidents.
DS9: Manage the configuration.
DS10: Manage problems.
DS11: Manage data.
DS12: Manage the physical environment.
DS13: Manage operations.
COBIT Cube Domains – Monitor and Evaluate
MONITOR AND EVALUATE (ME)
 Objectives:
 Performance management
 Monitoring of internal control
 Regulatory compliance
 Governance
 Scope:
 Is performance of IT measured to detect problems before it is too late?
 Does management ensure that internal controls are effective and efficient?
 Can IT performance be linked to business goals?
 Are risk, control, compliance, and performance measured and reported?
COBIT Cube Domains - Monitor and Evaluate
Plan and Organize Acquire and Implement
Monitor and Evaluate IT Processes
ME1: Monitor and evaluate IT

performance.
ME2: Monitor and evaluate internal Deliver and Support Monitor and Evaluate
control.
ME3: Ensure compliance with external
requirements.
ME4: Provide IT governance.
The COBIT Cube: Business Requirements
To satisfy business objectives, information needs to conform to certain control
criteria, which COBIT refers to as business requirements for information.
Based on broader quality, fiduciary, and security requirements, seven distinct
information criteria are defined.
Business Requirements
Information Criteria are:
 Effectiveness
 Efficiency
IT Processes IT Resources
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability
The COBIT Cube: Business Requirements
Deals with information being relevant and pertinent to the business process
Effectiveness as well as being delivered in a timely, correct, consistent, and usable
manner.
Concerns the provision of information through the optimal ─ most

Efficiency productive and economical ─ use of resources. Information Criteria
Concerns the protection of sensitive information from IT Resources

Confidentiality unauthorized disclosure. IT Processes
Relates to the accuracy and completeness of information as well as

Integrity to its validity in accordance with business values and expectations.
Relates to information being available ,when required by the business process, at present and in the
Availability future. It also concerns the safeguarding of necessary resources and associated capabilities.
Deals with complying with those laws, regulations, and contractual arrangements to which the business
Compliance process is subject, that is, externally imposed business criteria as well as internal policies.
Relates to the provision of appropriate information for the management to operate the entity and to exercise
Reliability its fiduciary and governance responsibilities.
The COBIT Cube – IT Resources
IT processes manage IT resources to generate, deliver, and store
the information that the organization needs to achieve its
objectives. The IT resources identified in COBIT can be defined as:
Applications Information Infrastructure People
• automated user • data that is input, • includes the • personnel

systems and processed, and technology and required to plan,
manual output by facilities such as organize, acquire,
procedures that information hardware, implement,
process systems, in operating deliver, support,
information. whatever form systems, and monitor, and
used by the networking that evaluate
business. enable the information
processing of systems and
applications. services. They
may be internal,
outsourced, or
contracted, as
required.
66
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
COBIT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES
PO1 Define a strategic IT plan.
ME1 Monitor and evaluate IT PO2 Define the information
performance. architecture.
ME2 Monitor and evaluate PO3 Determine technological
internal control. INFORMATION direction.
ME3 Ensure compliance with PO4 Define the IT processes,
external requirements. Efficiency Integrity organization, and
Effectiveness Availability relationships.
ME4 Provide IT governance.
Compliance Confidentiality PO5 Manage the IT investment.
Reliability PO6 Communicate management
MONITOR PLAN aims and direction.
DS1 Define and manage service AND AND PO7 Manage IT human resources.
levels. EVALUATE ORGANIZE
PO8 Manage quality.
DS2 Manage third-party services. IT
RESOURCES PO9 Assess and manage IT risks.
DS3 Manage performance and
PO10 Manage projects.
capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security. Applications
AI1 Identify automated solutions.
DS6 Identify and allocate costs. Information
Infrastructure AI2 Acquire and maintain
DS7 Educate and train users. application software.
DELIVER People ACQUIRE
DS8 Manage the service desk and AI3 Acquire and maintain
AND AND
incidents. technology infrastructure.
SUPPORT IMPLEMENT
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions
environment. and change.
DS13 Manage operations.
COBIT — Value and Limitations
COBIT:
Has internationally accepted good practices.

 Is management-oriented.
 Is supported by tools and training.
 Is freely available as an open standard.
 Allows the sharing and leveraging of the knowledge of expert volunteers.
 Continually evolves.
 Is maintained by a reputable nonprofit organization.
 Maps 100 percent to COSO.
 Maps strongly to all major, related standards.
 Is a reference, not an “off-the-shelf” cure.
Enterprises still need to analyze the control requirements and customize COBIT based on
the enterprise’s:
 Value drivers.
 Risk profile.
 IT infrastructure, organization, and project portfolio.
COBIT: Advantages
Some of the advantages of adopting COBIT are:
 COBIT is aligned with other standards and best practices and should be used
together with them.
 COBIT’s framework and supporting best practices provide a well-managed and
flexible IT environment in an organization.
 COBIT provides a control environment that is responsive to business needs
and serves management and audit functions in terms of their control
responsibilities.
 COBIT provides tools to help manage IT activities.
Val IT
Introducing Val IT
 Val IT is based on COBIT and extends and complements it, focusing on the value
delivery dimension. Specifically, Val IT focuses on the:
 Re-investment decision (are we doing the right things?)
 Realization of benefits (are we getting the benefits?)
The goal of the Val IT initiative is to help management ensure that organizations
realize optimal value from IT-enabled business investments at an affordable
cost, with a known and acceptable level of risk.
Optimal Value
Helps
Management
Achieve
VAL IT
Val IT – Principles
The principles of Val IT are outlined below:
 IT-enabled investments will be managed as a
portfolio of investments.
 IT-enabled investments will include the full scope of
activities that are required to achieve business
value.
 IT-enabled investments will be managed through
their full economic life cycle.
 Value delivery practices will recognize that there VAL IT
are different categories of investments that will be
evaluated and managed differently.
 Value delivery practices will define and monitor key
metrics and will respond quickly to any changes or
deviations.
 Value delivery practices will engage all stakeholders
and assign appropriate accountability for the
delivery of capabilities and the realization of
business benefits.
 Value delivery practices will be continually
monitored, evaluated, and improved.
Val IT – Areas
Val IT is based on the “Four Rs” highlighted below.
Some fundamental questions about the value delivered by IT.
Val IT Value Governance
Figure 8-Key Management Practices Supporting the Three Val IT Processes
This diagram below shows the structure of the three

VAL IT processes and management practices. Value
Governance
 Value Governance (VG)
 VG1 Ensure informed and committed leadership.

 VG2 Define and implement processes.
 VG3 Define Roles and Responsibilities.
 VG4 Ensure appropriate and accepted
accountability. Investment Portfolio
Management Management
 VG5 Define information requirements. (IM) (PM)
 VG6 Establish reporting requirements.
 VG7 Establish organizational structures.
 VG8 Establish strategic direction.
 VG9 Define investment categories.
 VG10 Determine a target portfolio mix.
 VG11 Define evaluation criteria by category.
Val IT – Investment Management
Value
Investment Management Governance
(VG)
 IM1 Develop a high-level definition of investment opportunity.
 IM2 Develop an initial program concept business case.
 IM3 Develop a clear understanding of candidate programs.
 IM4 Perform an alternative analysis.
Investment Portfolio
 IM5 Develop a program plan. Management Management
(IM) (PM)
 IM6 Develop a benefits realization plan.
 IM7 Identify full lifecycle costs and benefits.
 IM8 Develop a detailed program business case.
 IM9 Assign clear accountability and ownership.
 IM10 Initiate, plan, and launch the program.
 IM11 Manage the program.
 IM12 Manage and track benefits
 IM13 Update the business case.
 IM14 Monitor and report on program performance.
 IM15 Retire the program.
Val IT – Portfolio Management
Portfolio Management
 PM1 Maintain a human resource inventory.
 PM2 Identify resource requirements.
 PM3 Perform a gap analysis.
 PM4 Develop a resource plan.
 PM5 Monitor resource requirements and utilization. Value

Governance
 PM6 Establish an investment threshold. (VG)
 PM7 Evaluate the initial program concept business
case.
 PM8 Evaluate and assign a relative score to the
program business case.
 PM9 Create an overall portfolio view.
Investment Portfolio
 PM10 Make and communicate the investment Management Management
(IM) (PM)
decision.
 PM11 Stage-gate (and fund ) the selected program.
 PM12 Optimize portfolio performance.
 PM13 Reprioritize the portfolio.
 PM14 Monitor and report on portfolio performance.
Val IT – Processes
The processes listed on the earlier slides expand COBIT’s PO and

ME processes, especially those relating to:
 Business and IT strategy
 Investment management
 Portfolio, program, and project management
 Monitoring and evaluating value delivery
The Val IT framework provides a cross-reference to COBIT.
VAL IT
COBIT Management Guidelines
 Goals and metrics show how processes
should be measured. These are defined
at three levels:
Process Input
 IT goals and metrics: Define what the Key Activities and
and Output
business expects from IT, that is, what RACI Charts
the business would use to measure IT.

 Process goals and metrics: Define what
Goals and Metrics
the IT process must deliver to support Management
the IT goals, that is, how the IT process Guidelines
Framework
owner would be measured.
 Process performance metrics: Measure
how well the process is performing to Outcome
Measures
indicate if the goals are likely to be met.
 Maturity models help organizations
measure process capability from Performance
nonexistent (0) to optimized (5). Indicators
Maturity
Models
Key Activities and RACI Charts RACI Chart for PO10
A RACI chart identifies who is Responsible, Accountable, Consulted, and Informed.
Head IT Administration
Functions
Head Development
Bus Process Owner
Compliance, Audit,
Risk, and Security
Head Operations
Chief Architect
Business Exec
PMO
CEO
CFO
CFO
Activities
Define a program/portfolio management framework

C C A R C C
for IT investments.
Establish and maintain an IT project management
I I I A/R I C C C C R C
framework.
Establish and maintain an IT project monitoring,
I I I R C C C C A/R C
measurement, and management system.
Build project charters, schedules, quality plans,
budgets, and communication and risk management C C C C C C C A/R C
plans.
Assure the participation and commitment of project
I A R C C
stakeholders.
Assure the effective control of projects and project
C C C C C A/R C
changes.
Define and implement project assurance and review
I C I A/R C
methods.
Process Input and Output
 Each process is linked to other processes.
Inputs are the deliverables that a process
requires from other processes.
 Outputs are the deliverables that a process
provides to others.
 In some cases, the input and output are outside
the scope of the COBIT framework.
Process Input and Output
Example: P010: Manage Projects
From Input Output To
P01 Project portfolio Project performance reports ME1
P05 Updated IT project portfolio Project risk management plan P09
P07 IT skills matrix Project management guidelines Al1 Al7
P08 Development standards Detailed project plans P08 Al1 Al7 DS6
Al7 Post-implementation review Updated IT project portfolio P01 P05
Components of Management Guidelines:
Outcome Measures
Outcome Measures (Key Goal Indicators in COBIT 4.0):
Define measures that inform the management — after the
fact — whether an IT function, process, or activity has
achieved its goals. Outcome measures of the IT functions are
often expressed in terms of information criteria, such as:
 Availability of the information needed to support the business
needs
 Absence of integrity and confidentiality risks
 Cost-efficiency of processes and operations
 Confirmation of reliability, effectiveness, and compliance
Outcome Measures
Components of Management Guidelines:
Performance Indicators
Performance indicators (Key Performance Indicators in COBIT
4.0): Performance indicators define measures that determine
how well the business, IT function, or IT process is performing in
enabling the reaching of goals. They are lead indicators of
whether goals will be reached, driving the higher-level goals.
They often measure the availability of appropriate capabilities,
practices, and skills, and the outcome of underlying activities.
 Note: The outcome measures of the lower level become the
performance indicators of the higher level.
Performance
Indicators http://www.enterprisegrc.com
Process and Activity Goals Example: PO10
Goals and Metrics
IT Process Activities
 Respond to business requirements

 Define and enforce program and
in alignment with the business  Establish project tracking and
set set project frameworks and
strategy. cost/time control mechanisms.
approaches.
Goals
 Define projects on time and within  Provide transparency of project

 Issue project management
budget, meeting quality status.
guidelines.
standards.  Make timely project
 Perform project planning for
 Respond to governance management decisions at critical
each project in the project
requirements, in line with board milestones.
portfolio.
directors.
Drive
Drive
measures measures measures
 Percent of projects following
project management standards
and practices
 Percent of projects meeting  Percent of projects on time and  Percent of certified or trained
Metrics
stakeholders expectations (on within budget project managers

time, within budget, and meeting
requirements, weighed by  Percent of projects meeting  Percent of projects receiving
importance) stakeholder expectations post-implementation reviews
 Percent of stakeholders
participating in projects
(involvement index)
Key Goal Indicators – PO10
 COBIT defines two levels of outcome measures:
One for the IT department
 (IT outcome measure) and one for the IT
process (process outcome measure).
Example PO10: Manage Projects
IT Outcome Measure:
 Percentage of projects meeting stakeholder expectations — on
time, within budget, and meeting requirements
— weighed by importance
Process Outcome Measure:
 Percentage of projects on time and within budget
 Percentage of projects meeting stakeholder expectations
Performance Indicators – PO10
Note: These are outcome measures for the

activities and performance indictors of the
PO10 process.
 Percentage of projects following project management

standards and practices
 Percentage of certified or trained project managers
 Percentage of projects receiving post implementation
reviews
 Percentage of stakeholders participating in projects,
which represents the involvement index
Benchmarking
Maturity models provide a scale to benchmark company practices against industry
standards and guidelines. A maturity model is a measure that enables an organization to
grade its maturity for a specific process from nonexistent (0) to optimized (5).
Nonexistent Initial Repeatable Defined Managed Optimized

0 1 2 3 4 5
Legend for Symbols Used Legend for Ranking Used

0-Management processes are not applied at all.
Enterprise current status 1-Processes are ad hoc and disorganized.
2-Processes follow a regular pattern.
Industry average 3-Processes are documented and communicated.
4-Processes are monitored and measured.
Enterprise target
5-Good practices are followed and automated.
The above scale shows the status of the current and the
proposed position of the organization in relation to industry
best practices, standards, and guidelines.
The COBIT Maturity Model
Attributes Rankings
Awareness and
Management processes are not applied
O – Nonexistent at all.
communication
Policies, standards, Processes are ad hoc and

1 – Initial
and procedures disorganized.
Tools and Processes follow a regular pattern.

2 – Repeatable
automation
Skills and
Processes are documented and
3 – Defined communicated.
expertise
Responsibility Processes are monitored and

4 – Managed
and accountability measured.
Goal setting Good practices are followed and

and measurement 5 – Optimized
automated.
Maturity Model for PO10 Nonexistant
O – Nonexistent Project management techniques

are not used and the organization
1 – Initial does not consider the business
impacts associated with project
2 – Repeatable
mismanagement and project
development failures.
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Initial
The use of project management techniques and approaches
O – Nonexistent
within IT is a decision left to individual IT managers. There is
a lack of management commitment to project ownership
and project management. Critical decisions on project
1 – Initial
management are made without user management or
customer input. There is little or no customer and user
involvement in defining IT projects. There is no clear
2 – Repeatable
organization within IT for the management of projects.
Roles and responsibilities for the management of projects
3 – Defined
are not defined. Projects, schedules, and milestones are
poorly defined, if at all. Project staff time and expenses are
not tracked and compared to budgets.
4 – Managed
5 – Optimized
Maturity Model for PO10 Repeatable
O – Nonexistent Senior management has gained and communicated an

awareness of the need for IT project management. The
organization is in the process of developing and utilizing
1 – Initial some techniques and methods from project to project. IT
projects have informally defined business and technical
objectives. There is limited stakeholder involvement in IT
2 – Repeatable project management. Initial guidelines have been developed
for many aspects of project management. Application of
project management guidelines is left to the discretion of
3 – Defined the individual project manager.
4 – Managed
5 – Optimized
Maturity Model for PO10 Defined
The IT project management process and methodology have been
O – Nonexistent established and communicated. IT projects are defined, with
appropriate business and technical objectives. Senior IT and
business management are beginning to be committed to and
1 – Initial involved in the management of IT projects. A project management
office is established within IT, with initial roles and responsibilities
defined. IT projects are monitored, with defined and updated
2 – Repeatable milestones, schedules, and budget and performance
measurements. Project management training is available and is
primarily a result of individual staff initiatives. Quality assurance
procedures and post-system-implementation activities have been
3 – Defined
defined but are not broadly applied by IT managers. Projects are
beginning to be managed as portfolios.
4 – Managed
5 – Optimized
Maturity Model for PO10 Managed
The management requires formal and standardized project
O – Nonexistent metrics and the review of lessons learned at project
completion. Project management is measured and evaluated
throughout the organization and not just within IT.
1 – Initial Enhancements to the project management process are
formalized and communicated with project team members
trained on enhancements. IT management has implemented
2 – Repeatable a project organization structure with documented roles,
responsibilities, and staff performance criteria. Criteria for
evaluating success at each milestone have been established.
Value and risk are measured and managed before, during,
3 – Defined
and after the completion of projects. Projects increasingly
address organization goals, rather than only IT-specific ones.
There is strong and active project support from senior
4 – Managed management sponsors as well as stakeholders. Relevant
project management training is planned for employees in the
project management office and across the IT function.
5 – Optimized
Maturity Model for PO10 Optimized
O – Nonexistent A proven, full lifecycle project and program methodology is

implemented, enforced, and integrated into the culture of
the entire organization. An ongoing initiative to identify and
1 – Initial institutionalize the best project management practices has
been implemented. An IT strategy for sourcing development
and operational projects is defined and implemented. An
2 – Repeatable integrated project management office is responsible for
projects and programs from inception to post
implementation. Organization-wide planning of programs
3 – Defined and projects ensures that user and IT resources are best
utilized to support strategic initiatives.
4 – Managed
5 – Optimized
IT Assurance Guide
The objective of the IT Assurance Guide is to:
 Demonstrate how to use COBIT to support a variety of IT assurance
activities.
 Enable the users to leverage COBIT when planning and performing
assurance reviews, so that the business, IT, and assurance professionals
are all aligned around a common framework and objectives.
 Guide planning, scoping, and executing assurance reviews using a
roadmap based on well-accepted assurance approaches, supported by
detailed tests that are based on COBIT’s processes and control
objectives.
Assurance Roadmap
Execution Roadmap
Detailed Testing Advice
Assurance Guide Roadmap
The Assurance Guide roadmap consists of the following three stages:
Planning: Scoping: Execution:
• The establishment of • The scoping process • The third stage of the IT

the IT assurance starts from defining assurance road map
universe for the business and IT goals describes an approach
assurance assignment for the environment that assurance
serves as the beginning under review and professionals can follow,
of every assurance identifying the set of IT including the core
initiative. processes and resources testing activities as they
(that is, the assurance execute a particular
universe) required to assurance initiative.
support those goals.
Assurance Roadmap
Execution Roadmap
Detailed Testing Advice http://www.enterprisegrc.com
The Execution Roadmap Consists Of The Following
Six Stages:
Execution Roadmap
Develop and communicate

Refine the understanding
the overall conclusion and
of the IT assurance subject
recommendations
Refine the scope of key

Document the impact of
control objectives of the IT
control weaknesses
assurance subject
Test the effectiveness of

Test the outcome of the
the control design of the
key control objectives
key control objectives
Thank You For Your Time and Interest

Laminate

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Laminate

Diunggah oleh

Hak Cipta:

Format Tersedia

http://www.enterprisegrc.

EnterpriseGRC Solutions, Inc. is a certified ITPreneurs Partner

Governance in Your Context - Introductions

 IT Governance and Governance as a

For a current set of CobiT materials, please visit

 Need for a control framework driven by the need for IT

 How COBIT is used with other standards and best practices.

 The COBIT framework and all the components of COBIT —

 The benefits of using COBIT.

 The products and support that ITGI provides.

Business- Process- Measurement-

The acronym COBIT stands for Control Objectives for Information

COBIT Framework Characteristics

Process and Application Controls, ValIT, RiskIT Framework

COBIT 1 COBIT 2 COBIT 3 COBIT 4 COBIT 5

1996 1998 2000 2005 2010

 Many organizations invest significant amounts of money and resources in IT.

Aligning IT With Business

Keeping IT Running Discontinuity of IT Services

 Typically, the following problems may

Given the significant investments made

Typically, the reasons for higher expenditure are:

The typical problems arising because

 Managing diverse technical

In most organizations, the gap between Business IT

 Inability to set priorities

 Lack of committed business sponsors

 Lack of clear business drivers for solutions

 Communication gaps between business

Regulations that govern business Govern

aware of national and

requirements that relate to, for Regulations

Unfortunately, the desire to make information

 The increasing misuse of information. Firewall

 The technical complexities of IT environments

As a result, organizations need to ensure adequate security in their IT environment. This

 Ensuring that objectives are

Direct Accountable Control

IT activities are effective when

IT is not about technological excellence;

Risk and Compliance IT Auditor

 Focuses on ensuring the linkage of business and IT plans; on defining,

Aligning IT with Business

Is about executing the value proposition

Return on Investment (ROI) http://www.enterprisegrc.com

Requires: Risks can be managed by:

IT Governance Helps Optimize Costs and Resources

A look-ahead strategy will help manage for

 Tracks and monitors strategy implementation, project completion,

IT governance offers the

Enterprises cannot deliver effectively against Control

Organizations typically face the following IT challenges that

IT governance is a structure of relationships and processes

• how COBIT supports the characteristics of a control framework.

• the premise of the COBIT framework.

• the components and functions of the COBIT framework.

• the role of COBIT IT processes and the four IT domains.

• IT resources and information criteria.

The COBIT Framework

The COBIT Cube

Compliance frameworks are designed to make

 With process ownership

IT resources need to be managed by a set of naturally grouped

IT Resources and Processes