Enabling Processes
Enabling Processes
Enabling Processes
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
APO01 Process Practices, Inputs/Outputs and Activities (cont.)<br />
CHAPTER 5<br />
COBIT 5 PROCESS REFERENCE GUIDE CONTENTS<br />
Management Practice Inputs Outputs<br />
APO01.05 Optimise the placement of the IT function.<br />
Position the IT capability in the overall organisational<br />
structure to reflect an enterprise model relevant to<br />
the importance of IT within the enterprise, specifically<br />
its criticality to enterprise strategy and the level of<br />
operational dependence on IT. The reporting line of the<br />
CIO should be commensurate with the importance of IT<br />
within the enterprise.<br />
From Description Description To<br />
Outside COBIT � ���������� ���������<br />
model<br />
� ���������� ��������<br />
Evaluation of options for IT<br />
organisation<br />
Defined operational<br />
placement of IT function<br />
APO03.02<br />
APO03.02<br />
Activities<br />
1. Understand the context for the placement of the IT function, including an assessment of the enterprise strategy and operating model (centralised,<br />
federated, decentralised, hybrid), importance of IT, and sourcing situation and options.<br />
2. Identify, evaluate and prioritise options for organisational placement, sourcing and operating models.<br />
3. Define placement of the IT function and obtain agreement.<br />
Management Practice Inputs Outputs<br />
APO01.06 Define information (data) and<br />
From Description Description To<br />
system ownership.<br />
Define and maintain responsibilities for ownership of<br />
information (data) and information systems. Ensure that<br />
owners make decisions about classifying information<br />
and systems and protecting them in line with<br />
Data classification<br />
guidelines<br />
APO03.02<br />
BAI02.01<br />
DSS05.02<br />
DSS06.01<br />
this classification.<br />
Data security and control<br />
guidelines<br />
BAI02.01<br />
Activities<br />
Data integrity procedures BAI02.01<br />
DSS06.01<br />
1. Provide policies and guidelines to ensure appropriate and consistent enterprisewide classification of information (data).<br />
2. Define, maintain and provide appropriate tools, techniques and guidelines to provide effective security and controls over information and information<br />
systems in collaboration with the owner.<br />
3. Create and maintain an inventory of information (systems and data) that includes a listing of owners, custodians and classifications. Include systems<br />
that are outsourced and those for which ownership should stay within the enterprise.<br />
4. Define and implement procedures to ensure the integrity and consistency of all information stored in electronic form such as databases, data<br />
warehouses and data archives.<br />
Management Practice Inputs Outputs<br />
APO01.07 Manage continual improvement<br />
From Description Description To<br />
of processes.<br />
Assess, plan and execute the continual improvement<br />
of processes and their maturity to ensure that they are<br />
capable of delivering against enterprise, governance,<br />
EDM01.03 Feedback on governance<br />
effectiveness and<br />
performance<br />
Process capability<br />
assessments<br />
MEA01.03<br />
���������� ��� ������� ����������� �������� ����� MEA03.02 Updated policies, Process improvement All APO<br />
process implementation guidance, emerging standards,<br />
principles, procedures opportunities<br />
All BAI<br />
compliance requirements, automation opportunities, and<br />
and standards<br />
All DSS<br />
the feedback of process users, the process team and<br />
All MEA<br />
other stakeholders. Update the process and consider<br />
impacts on process enablers.<br />
Performance goals and<br />
metrics for process<br />
improvement tracking<br />
MEA01.02<br />
Activities<br />
1. Identify business-critical processes based on performance and conformance drivers and related risk. Assess process capability and identify<br />
improvement targets. Analyse gaps in process capability and control. Identify options for improvement and redesign of the process. Prioritise initiatives<br />
for process improvement based on potential benefits and costs.<br />
2. Implement agreed-on improvements, operate as normal business practice, and set performance goals and metrics to enable monitoring of<br />
process improvements.<br />
3. Consider ways to improve efficiency and effectiveness (e.g., through training, documentation, standardisation and automation of the process).<br />
4. Apply quality management practices to update the process.<br />
5. Retire outdated processes, process components or enablers.<br />
Personal Copy of: Mr. Dong Hong Wang<br />
55<br />
Align, Plan and Organise