Isaca COBIT-2019 COBIT 2019 Foundation Exam Practice Test

The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. One of the important components for an enterprise strategy archetype of growth/acquisition is support for the portfolio management role with an investment office. Growth/acquisition is a strategy archetype that emphasizes expanding market share, revenue, customer base, or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investments and initiatives that support business growth or acquisition objectives. Portfolio management involves selecting, prioritizing, balancing, monitoring, evaluating, and optimizing information and technology investments and initiatives based on their alignment with business strategy, value delivery potential, risk exposure, resource availability, interdependencies, etc. Portfolio management also involves ensuring that information and technology investments and initiatives are integrated with business processes, systems, structures, culture, etc., especially in case of mergers or acquisitions. Support for the portfolio management role with an investment office means providing a dedicated function or unit that assists the portfolio manager in performing portfolio management activities such as planning, analysis, decision making, reporting, etc., as well as providing guidance, tools, methods, frameworks, standards, best practices etc., for portfolio management5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61

The process ‘Ensured Stakeholder Engagement’ (EDM04) is one of the governance processes in COBIT 2019 that involves establishing transparent communication with stakeholders about their needs and expectations from information and technology governance. This process also involves ensuring stakeholder involvement in governance decision making and monitoring stakeholder satisfaction with governance outcomes. One of the roles that is best suited for this responsibility is the board and executive management, who are the highest-level governance body and decision makers in an enterprise. The board and executive management have a duty to ensure that they understand the needs and expectations of various stakeholders such as shareholders, regulators, customers, employees, suppliers, etc., and that they communicate effectively with them about the enterprise’s strategy, objectives, performance, risks, issues, opportunities, etc., related to information and technology governance. The board and executive management also have a responsibility to involve stakeholders in governance decision making by soliciting their input, feedback, opinions, suggestions, etc., and by considering their interests and perspectives when making governance choices. The board and executive management also have a role in monitoring stakeholder satisfaction with governance outcomes by measuring stakeholder value realization from information and technology investments and initiatives.

The process activities component of governance and management objectives includes the expected capability level. A process activity is a specific task or action that contributes to achieving a process outcome or objective. A capability level is a measure of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A capability level can range from 0 (incomplete) to 5 (optimizing). Each governance and management objective in COBIT defines a set of process activities that are required to achieve it, as well as an expected capability level for each activity.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

An enterprise that has been consistently growing over the years and has decided to adapt the COBIT framework from the growth perspective of the balanced scorecard dimensions should select product and business innovation as one of its most relevant enterprise goals. The balanced scorecard is a tool that translates strategic objectives into four dimensions: financial, customer, internal, and growth. The growth dimension focuses on how the enterprise can create new products or services, enter new markets, or improve its processes or capabilities to achieve long-term success. Product and business innovation is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to enhancing customer satisfaction and loyalty by providing innovative solutions that meet their needs and expectations. The answer is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

 The primary reason for management to conduct a process capability assessment is to better understand the current state as compared to the target state. A process capability assessment is a method of measuring and evaluating how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A process capability assessment can be done using different models or frameworks, such as CMMI or ISO/IEC 15504. A process capability assessment helps management to better understand the current state of a process by identifying its strengths, weaknesses, gaps, and improvement opportunities. A process capability assessment also helps management to compare the current state with the target state, which is the desired level of performance or outcome for a process.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT Process Assessment Model (PAM): Using COBIT 5

The different levels of involvement associated with roles and organizational structure are primarily divided into responsibility and accountability levels. Responsibility and accountability are two key concepts that define the degree of involvement and authority that a role has in performing a task or process. Responsibility means performing or overseeing a task or process, while accountability means being answerable for the outcome or result of a task or process. COBIT uses a RACI chart to assign different levels of responsibility and accountability to roles and organizational structures for each governance and management objective.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The process practices are the descriptions of the activities that are performed within a process to achieve its purpose and outcomes. The process practices are organized into three levels: basic, intermediate, and advanced. The process practices also include inputs, outputs, roles, responsibilities, goals, and metrics for each activity. The process practices are aligned with the capability levels that can be used as benchmarks to measure and improve the performance of a process. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. By using the process practices as benchmarks, an enterprise can assess its current capability level for each process, identify the gaps or issues that need to be addressed, set the target capability level for each process based on its strategy, objectives, needs, expectations, etc., and implement the actions and initiatives that are required to enhance the capability level for each process12 References: 1: COBIT 2019 Process Reference Guide: Governance and Management Objectives: page 13-15 2: COBIT 2019 Process Assessment Model: page 11-13

A tailored enterprise governance system is a governance system that is customized to suit the specific needs and context of an enterprise. A sourcing model for information and technology is one of the design factors that influence the design and implementation of a tailored governance system. A sourcing model describes how the enterprise obtains and delivers I&T services, such as in-house, outsourced, cloud-based, etc. The sourcing model affects the governance objectives, components, and enablers that are relevant and applicable for the enterprise.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The percent of stakeholders satisfied with program/project quality would be an appropriate metric to align with a goal of “Delivery of programs on time, on budget, and meeting requirements and quality standards”. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. A goal is a specific target or outcome that an enterprise sets to achieve its vision and mission. Delivery of programs on time, on budget, and meeting requirements and quality standards is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that IT-enabled investments are delivered successfully. The percent of stakeholders satisfied with program/project quality is a metric that reflects how well this goal is achieved.13 References: COBIT 2019Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 A quantitative approach involves numeric mapping tables created for each of the design factors. According to the COBIT 2019 Design Guide, a quantitative approach is one of the four possible approaches for designing a governance system based on the design factors. A design factor is a characteristic of the enterprise that influences how the governance system should be designed. A quantitative approach uses numeric values to represent the impact of each design factor on the governance components, such as processes, organizational structures, roles, and practices. The numeric values are derived from mapping tables that show how each design factor affects each governance component. The mapping tables are based on empirical data, expert judgment, or best practices. The quantitative approach helps to provide a more objective and consistent way of designing a governance system that is tailored to the enterprise context and needs. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 54 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 56

 An IT implementation method design factor is a characteristic that influences how an enterprise implements IT solutions and services. DevOps is an IT implementation method that focuses on software building, deployment and operations, by integrating development and operations teams to improve collaboration and productivity1, p. 31. References: 1: COBIT 2019 Framework: Introduction and Methodology

 An enterprise will often fail to realize implementation commitments during the execution of an EGIT implementation program plan if it focuses on enabling IT value over business value. IT value is the contribution of IT to achieving enterprise objectives, while business value is the overall benefit that the enterprise derives from its use of information and technology. Focusing on IT value over business value may result in a disconnect between IT and business stakeholders, a lack of alignment between IT goals and business strategy, or a failure to deliver expected benefits or outcomes. Therefore, it is important to balance both IT value and business value when implementing a governance system. The answer is based on the COBIT 2019 Implementation Guide3, page 38. References: 3: COBIT 2019 Implementation Guide | Digital | English

 According to the COBIT 2019 Framework: Introduction and Methodology, a maturity level is a performance measure that is used to assess a specific focus area. A focus area is a topic that is relevant for governance and management of enterprise information and technology (I&T), such as cybersecurity, privacy or digital transformation. A maturity level indicates the extent to which a focus area is implemented and integrated in the enterprise’s governance system. There are six maturity levels defined in COBIT 2019, ranging from 0 (incomplete) to 5 (optimized).3, p. 77-78 References: 3: COBIT 2019 Framework: Introduction and Methodology

 The COBIT performance model is integrated into the COBIT core model. The COBIT core model consists of two main elements: the governance and management objectives (which define what needs to be achieved) and the performance model (which defines how well it needs to be achieved). The performance model is based on existing maturity and capability models (such as ISO/IEC 15504) and provides a common language to measure and communicate performance. The performance model consists of six levels (from 0 to 5) that describe the increasing degree of capability for each governance or management objective.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The threat landscape is a design factor that describes the types and levels of threats that an enterprise faces from internal and external sources that could compromise its information and technology assets. The threat landscape helps to determine the level of security and resilience that an enterprise needs to protect its information and technology assets from unauthorized access use disclosure modification destruction or disruption. When tailoring a governance system for an enterprise what would be the most appropriate level of threat landscape for an enterprise in the health care sector is high. The health care sector is a sector that provides health care services such as diagnosis treatment prevention rehabilitation etc., to individuals or populations. The health care sector has a high level of threat landscape compared to other sectors such as manufacturing or retail which have lower levels of threat landscape. This is because the health care sector handles sensitive personal data such as medical records health insurance information patient identifiers etc., that are subject to strict privacy and security regulations such as HIPAA GDPR etc., as well as ethical and legal obligations. The health care sector also relies on critical information and technology systems such as electronic health records telemedicine devices medical devices etc., that are essential for delivering quality health care services to patients. The health care sector faces various types of threats such as cyberattacks data breaches identity theft ransomware malware phishing social engineering natural disasters human errors etc., that could compromise its information and technology assets resulting in financial losses reputational damage legal liabilities regulatory penalties patient harm etc. Therefore when tailoring a governance system for an enterprise in the health care sector it is important to consider a high level of threat landscape and design a governance system that can effectively manage the potential impacts of threats on its information and technology assets5 References: 5: COBIT 2019 Design Guide: page 41-43 : COBIT 2019 Design Guide: page 47-48

 The most critical factor to ensuring the objective of managed availability and capacity is to predict future IT resource requirements based on current and projected business needs, service levels, and performance targets. This factor enables the enterprise to plan, provision, and optimize IT resources in a timely and cost-effective manner, while ensuring that IT services are delivered with sufficient availability and capacity to meet business demands. The factor is based on the COBIT 2019 Design Guide2, page 77. References: 2: COBIT 2019 Design Guide | Digital | English

 According to the COBIT 2019 Framework: Governance and Management Objectives, one of the good practices with regard to performance management of organizational structures is to ensure that organizational meeting reports/minutes are available and meaningful to ensure transparency. This means that the outcomes and decisions of the meetings are documented and communicated to relevant stakeholders in a timely manner, and that they provide sufficient information to support accountability and learning. Transparency is one of the key principles of effective governance of enterprise I&T.4, p. 32-33 References: 4: COBIT 2019 Framework: Governance and Management Objectives

When assessing organizational structures, it is most helpful when subcriteria for each criterion are defined and linked to capability levels. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be assessed using six criteria: clarity, comprehensiveness, integration, alignment, authority, and accountability. Each criterion can be further divided into subcriteria that describe the specific aspects or attributes of the criterion. Capability levels are the measures of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. Capability levels can range from 0 (incomplete) to 5 (optimizing). Defining and linking subcriteria to capability levels helps to evaluate the current and desired state of organizational structures, as well as to identify gaps and improvement opportunities.123 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The CIO and the program steering committee are responsible for performing a stakeholder satisfaction survey and gathering feedback on lessons learned from the implementation of an EGIT program plan. According to the COBIT 2019 Implementation Guide, the CIO is the executive sponsor of the EGIT program, who provides strategic direction, leadership, and oversight for the program. The program steering committee is a group of senior stakeholders who support the CIO in governing and monitoring the program. One of their responsibilities is to conduct regular reviews of the program performance and outcomes, including stakeholder satisfaction and lessons learned. These reviews help to evaluate the effectiveness and efficiency of the EGIT program plan and identify areas for improvement. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 23 1 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 45 1

 The number of focus areas describing a certain governance topic or issue that can be addressed by governance objectives is virtually unlimited. Focus areas are topics or issues that can be addressed by governance objectives, such as digital transformation, cybersecurity, privacy, etc. Focus areas can be defined by any stakeholder or group within or outside the enterprise, depending on their needs and interests. COBIT provides examples of some common focus areas, but they are not exhaustive or prescriptive.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 A principle of a proper governance framework is that it should be based on a conceptual model. A conceptual model is “a representation of a system that uses concepts and ideas to form said representation” 8. A conceptual model helps to define the scope, purpose, structure, and content of a governance framework. It also helps to communicate the key concepts and relationships of a governance system to stakeholders. COBIT is based on a conceptual model that consists of three maincomponents: the governance system, the governance components, and the design factors9. References: 8: https://en.wikipedia.org/wiki/Conceptual_model  9: COBIT 2019 Framework: Introduction and Methodology, page 26

The focus of an enterprise that has a cost leadership strategy design factor is short-term cost minimization. A cost leadership strategy is a competitive strategy that aims to achieve lower costs than competitors by offering standardized products or services at low prices. A cost leadership strategy design factor affects how an enterprise designs its governance system, as it implies a focus on operational efficiency, process automation, economies of scale, outsourcing, etc. An enterprise that has a cost leadership strategy design factor would prioritize short-term cost minimization over long-term cost optimization or medium-term cost equalization.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.

The benefit derived from the use of COBIT that provides insight on how to derive value from the use of I&T is primarily associated with an internal stakeholder. An internal stakeholder is a person or group within an enterprise that has an interest or concern in its activities or outcomes. Examples of internal stakeholders are board members, executives, managers, employees, etc. An internal stakeholder would benefit from using COBIT by gaining insight on how to derive value from the use of I&T because it would help them to align I&T with business requirements, optimize costs and resources, enhance performance and outcomes, etc.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Stakeholder Needs

The change enablement tasks are the tasks that involve preparing for managing and sustaining the changes that are required for implementing a governance system for an enterprise using COBIT 2019. The change enablement tasks help to ensure that the changes are aligned with the enterprise’s strategy objectives needs expectations etc., that they deliver value and benefits to the enterprise and its stakeholders that they overcome resistance and barriers to change that they create a culture of continuous improvement etc. One of the key change enablement tasks that must be completed during the driver identification phase of an IT initiative is identify the business and governance drivers. The driver identification phase is the first phase of the governance implementation roadmap which involves identifying and analyzing the internal and external factors that trigger or influence the need for designing and implementing a governance system for an enterprise using COBIT 2019. The business drivers are the factors that relate to the enterprise’s business strategy objectives performance risks issues opportunities etc., such as market conditions customer demands competitive pressures regulatory requirements etc. The governance drivers are the factors that relate to the enterprise’s information and technology governance strategy objectives performance risks issues opportunities etc., such as IT alignment IT value delivery IT risk management IT resource management IT performance measurement etc. By identifying the business and governance drivers during the driver identification phase an enterprise can establish a clear understanding of why it needs to design and implement a governance system using COBIT 2019 what are the expected outcomes benefits value etc., from doing so who are the relevant stakeholders their roles responsibilities requirements expectations etc., how to communicate engage involve them in the change process etc.

The principles, policies and frameworks component of a governance system translates desired behavior into practical guidance. Principles are the fundamental norms or rules that guide decision-making and actions. Policies are the statements of intent or direction that define what is expected or required. Frameworks are the conceptual models or structures that define the key elements, relationships, and principles of a system. The principles, policies and frameworks component of a governance system translates desired behavior into practical guidance by providing a consistent and coherent basis for information and technology governance and management.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The alignment goal titled “Delivery of IT services in line with business requirements” is most likely to be associated with the metric “percent of IT services with defined operational costs and expected benefits”. This metric measures the extent to which IT services are aligned with business needs and expectations, and deliver value for money. The alignment goal is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. The alignment goal is based on the COBIT 2019 Framework4, page 36. References: 4: COBIT 2019 Framework | Digital | English

 Measuring objectives is the next phase in the life cycle of governance after IT governance is implemented. The life cycle of governance is a continuous process that involves designing, implementing, evaluating, and improving the IT governance system. Measuring objectives is the phase that involves assessing and monitoring the performance and outcomes of the IT governance system against predefined metrics and targets. Measuring objectives is the next phase after IT governance is implemented because it helps to determine whether the IT governance system is effective, efficient, and aligned with the enterprise goals.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 Within the COBIT goals cascade, stakeholder drivers are transformed into the enterprise’s actionable strategy. The COBIT goals cascade is a mechanism that helps enterprises to align their governance objectives with their stakeholder needs. It consists of four levels: stakeholder drivers, enterprise goals, alignment goals, and governance and management objectives. Stakeholder drivers are the needs or expectations of the internal or external stakeholders of the enterprise. Enterprise goals are the specific targets or outcomes that the enterprise sets to achieve its vision and mission. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Governance and management objectives are the desired outcomes of the governance system for information and technology. Stakeholder drivers are transformed into enterprise goals through a process of analysis, prioritization, and validation. Enterprise goals form the basis ofthe enterprise’s actionable strategy.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

The primary objective of reviewing the effectiveness of a new IT governance system that has been operational for 6 months is to identify further governance requirements. An IT governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. The effectiveness of an IT governance system can be reviewed using different methods or tools, such as audits, assessments, surveys, feedbacks, etc. The primary objective of reviewing the effectiveness of a new IT governance system that has been operational for 6 months is to identify further governance requirements that may arise from changes in the internal or external environment, stakeholder needs, business objectives, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 The focus areas are specific governance topics that are relevant for an enterprise based on its context, needs, and objectives. The focus areas provide guidance on how to apply the COBIT 2019 framework to address specific issues or challenges related to information and technology governance. The focus areas also help to tailor the COBIT 2019 framework to suit the enterprise’s specific governance system design. Therefore, when an enterprise is designing a specific governance system that is using diverse technology deployments with multiple domains of business operations, the expected deliverable when tailoring the COBIT 2019 framework is the focus area guidance. The focus area guidance will help the enterprise to select and prioritize the relevant focus areas that match its governance needs and objectives, and to customize the COBIT 2019 components such as principles, enablers, goals, processes, practices, etc., according to the focus area requirements12 References: 1: COBIT 2019 Design Guide, page 51-52 2: COBIT 2019 Framework: Introduction and Methodology, page 27-28

People, skills and competencies are required for good decisions, execution of corrective actions, and successful completion of all activities. This component acts as a primary driver for corrective actions, making it essential for achieving governance or management objectives.

The function of a mapping table when determining the initial scope of a new governance system is to indicate the relevance of a governance or management objective with a particular design factor. A mapping table is a tool that helps to identify and prioritize the governance and management objectives that are most applicable and important for the enterprise, based on its specific characteristics and context. A design factor is one of the characteristics of the enterprise that influence the design and operation of a governance system, such as size, industry, culture, strategy, etc. A mapping table shows the degree of relevance of each governance and management objective with each design factor, using a scale from 0 (not relevant) to 5 (very relevant). The function is based on the COBIT 2019 Design Guide, page 23. References: : COBIT 2019 Design Guide | Digital | English

 The management objective APO09 Managed Service Agreements involves ensuring that IT services are delivered in accordance with agreed-upon service levels and costs. This management objective covers the activities of defining, negotiating, establishing, monitoring, reporting, and reviewing service agreements between service providers and service consumers. This management objective is most relevant for an enterprise that plans to outsource all of its noncore IT operations but wants to ensure the proper level of governance, risk and compliance (GRC) controls. By applying this management objective, the enterprise can improve its service governance and management capabilities, ensure alignment of IT services with business strategy and objectives, enhance service performance and outcomes, and increase service consumer satisfaction and value realization. This management objective also involves ensuring that the outsourced IT services comply with the applicable laws, regulations, standards, guidelines, contracts, or agreements that govern the information and technology activities of the enterprise, as well as with the enterprise’s policies, procedures, processes, practices, etc. This management objective also involves managing the risks associated with outsourcing IT services such as loss of control, vendor lock-in, quality issues, security breaches, etc.

The primary role of business leadership when defining the future state in a business case is to assess proposed solutions against goals. The business case is a document that defines the objectives, benefits, costs, risks, and success factors of IT governance implementation, and proposes one or more solutions that can deliver the desired outcomes. Business leadership is responsible for evaluating the feasibility, viability, and desirability of each solution, as well as ensuring alignment with the enterprise’s strategic direction and stakeholder expectations. The role is based on the COBIT 2019 Implementation Guide4, page 31. References: 4: COBIT 2019 Implementation Guide | Digital | English

 The Build, Acquire and Implement (BAI) domain deals with the definition of IT solutions and their integration in business processes. This domain covers the activities related to identifying, developing, acquiring, implementing, testing, integrating, and deploying IT solutions that meet business requirements. The BAI domain consists of 10 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The high involvement of IT-related roles in organizational structures is a critical requirement when the IT function is strategic and crucial to the success of the business. The IT function is the part of the enterprise that is responsible for planning, delivering, operating, and supporting information and technology services. The IT function can have different levels of strategic importance for the business, depending on the nature, scope, and objectives of the enterprise. When the IT function is strategic and crucial to the success of the business, it means that information and technology are essential for creating value, achieving competitive advantage, enabling innovation, etc. In this case, it is critical to have high involvement of IT-related roles in organizational structures, such as having IT representation at the board level, having clear IT leadership roles and responsibilities, having effective IT governance committees or forums, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The Skills Framework for the Information Age (SFIA) has been used as a basis for developing guidance for the COBIT governance component of people, skills and competencies. SFIA is a globally recognized framework that describes the skills required by professionals who work with information and technology2, p. 36. References: 2: COBIT 2019 Framework: Introduction and Methodology

The initial scope of a governance system is the extent and boundaries of the governance system that an enterprise intends to design and implement using COBIT 2019. The initial scope helps to define the focus and direction of the governance system design process, as well as the resources and efforts required for its implementation. One of the key considerations when determining the initial scope of a governance system is the compliance requirements faced by the enterprise. The compliance requirements are the laws, regulations, standards, guidelines, contracts, or agreements that an enterprise must comply with regarding its information and technology activities. The compliance requirements influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance requirements when determining the initial scope of a governance system, an enterprise can ensure that its governance system is appropriate for its context and objectives, and that it can effectively manage the potential impacts of non-compliance on its reputation, performance, value, and stakeholder trust.

 A principle associated with the key components of a governance framework is that key components should function independently to maintain integrity. Key components include governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), and governance outcomes (such as value creation, risk optimization, resource optimization, etc.). These components should operate independently from each other to avoid conflicts of interest, bias, or undue influence. They should also have clear roles, responsibilities, authorities, and accountabilities. COBIT ensures the independence of key components by defining their relationships and interactions in a transparent and consistent manner.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The best way to enable an enterprise to show and prove the benefits realized from the implementation of an EGIT program plan is to communicate the results and benefits in business impact terms. The EGIT program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. Communicating the results and benefits in business impact terms means using appropriate tools, methods, formats, frequencies, etc., to report on the progress and outcomes of the EGIT implementation program to relevant stakeholders such as the board, executives, business managers, IT managers, etc., using language and metrics that demonstrate how the program has contributed to achieving the enterprise’s strategy, objectives, performance, value, etc. By communicating the results and benefits in business impact terms, an enterprise can ensure that it has a clear and compelling evidence of the value and benefits delivered by the EGIT implementation program, that it has met stakeholder requirements and expectations, that it has obtained stakeholder feedback and recognition, that it has enhanced stakeholder trust and confidence, etc12 References: 1: COBIT 2019 Implementation Guide: page 51-52 2: COBIT 2019 Framework: Governance and Management Objectives: page 19-20

In COBIT 2019, "Time-to-market" is closely associated with the enterprise goal of maintaining a portfolio of competitive products and services. This metric reflects the enterprise’s ability to deliver new offerings to the market efficiently, which is essential for competitive advantage. The COBIT goals cascade links time-to-market to this objective, emphasizing the importance of quick responsiveness to market demands as part of enterprise strategy​.

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

 A capability maturity model is a tool that assesses how well a process is implemented and performing at a given level, ranging from 0 (non-existent) to 5 (optimized). Each level defines a set of attributes that describe the characteristics of the process at that level, such as process performance, process documentation, process control, process measurement, etc. The model is based on the COBIT 2019 Process Assessment Model4, page 11. References: 4: COBIT 2019 Process Assessment Model | Digital | English

The primary purpose for aligning role descriptions to the enterprise’s business context, organization and operating environment when tailoring the COBIT organizational structure is to assign levels of accountability and responsibility for governance and management activities. This purpose helps to ensure that roles are clearly defined, communicated, understood, and accepted by all stakeholders, and that there are no gaps or overlaps in roles. The purpose is based on the COBIT 2019 Implementation Guide5, page 45. References: 5: COBIT 2019 Implementation Guide | Digital | English

 A key principle associated with the Accountable (A) role of an organizational structure is that accountability cannot be shared. This means that only one person can be accountable for each activity or decision, and that person is ultimately liable for the success and achievement of the assigned tasks2, p. 34. References: 2: COBIT 2019 Framework: Introduction and Methodology

The value generated from the use of I&T reflects a balance among benefits, risk and resources. This is based on the principle of balance, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” 1. Value generation is not only about maximizing financial benefits or minimizing costs or risks, but also about optimizing them in relation to the expected outcomes7. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 23 7: COBIT 2019 Framework: Governance and Management Objectives, page 19

 One of the benefits derived from the use of COBIT is that it helps to ensure compliance with applicable rules and regulations. This benefit is primarily associated with an external stakeholder, such as a regulator, auditor, customer, or partner, who expects the enterprise to adhere to certain standards and requirements. COBIT provides guidance on how to align the governance and management of enterprise IT with relevant laws, regulations, and contractual obligations12. COBIT also helps to establish and maintain a compliance culture and program within the enterprise3. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 17 2: COBIT 2019 Framework: Governance and Management Objectives, page 19 3: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 77

Time-to-market is a market factor that is directly related to the enterprise goal of portfolio of competitive products and services. Time-to-market is the measure of how quickly an enterprise can deliver new or improved products or services to its customers. It affects the competitiveness, profitability, and customer satisfaction of the enterprise. Portfolio of competitive products and services is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of providingproducts or services that meet customer needs and expectations, and that are superior to those offered by competitors.13 References: COBIT 2019 Framework:Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

People, skills and competencies are required for successful completion of all activities within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 A due diligence review is a process that involves conducting a comprehensive analysis and assessment of an enterprise’s information and technology assets, capabilities, risks, issues, opportunities, etc., before making a significant decision or transaction. A due diligence review helps to ensure that an enterprise has a clear understanding of the current state and potential impacts of its information and technology activities on its strategy, objectives, performance, value, etc., as well as on its compliance with relevant laws, regulations, standards, guidelines, contracts, or agreements. It is critical to perform a due diligence review following a merger, acquisition, or divestiture event. A merger is an event that involves combining two or more enterprises into one entity. An acquisition is an event that involves one enterprise purchasing another enterprise or its assets. A divestiture is an event that involves one enterprise selling or transferring part of its business or assets to another enterprise. By performing a due diligence review following a merger acquisition or divestiture event an enterprise can ensure that it has identified and addressed any information and technology related risks issues gaps etc., that may arise from theintegration or separation of information and technology assets capabilities processes systems structures culture etc., that it has aligned its information and technology governance and management with its new strategy objectives needs expectations etc., that it has optimized its information and technology performance and value delivery etc34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 47-48

 The chief information officer (CIO) ensures the board is kept informed of major decisions related to value delivery of I&T deployment in accordance with the enterprise strategy. The CIO is the senior executive responsible for leading, directing, and managing the information and technology function of the enterprise. The CIO has a strategic role in aligning I&T with business requirements, ensuring I&T performance, managing I&T risks, fostering innovation, etc. The CIO ensures the board is kept informed of major decisions related to value delivery of I&T deployment by providing regular reports, updates, feedback, recommendations, etc., as well as by participating in board meetings or committees.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Roles, Responsibilities & RACI Charts]

Ensuring the program team knows and understands the enterprise goals is a part of the “Where do we want to be?” phase of the implementation. The implementation of a governance system is divided into seven phases, each with a set of activities and outputs. The “Where do we want to be?” phase involves defining the desired outcomes and target state of the governance system, based on the enterprise’s vision, mission, values, and goals. One of the activities in this phase is to ensure that the program team is aware of and aligned with the enterprise goals, as well as their roles and responsibilities in achieving them. The answer is based on the COBIT 2019 Implementation Guide2, page 34. References: 2: COBIT 2019 Implementation Guide | Digital | English

 The key question that should be asked and evaluated one year after IT governance is implemented is whether the enterprise has achieved expected benefits. Benefits are the positive outcomes or value that are derived from a project or program. Benefits can be tangible (such as increased revenue, reduced costs, improved efficiency, etc.) or intangible (such as enhanced reputation, customer satisfaction, employee engagement, etc.). Benefits realization is the process of planning, managing, measuring, and reporting the benefits that are delivered by a project or program. Asking and evaluating whether the enterprise has achieved expected benefits one year after IT governance is implemented is important because it helps to determine whether the IT governance system is effective in creating value for the enterprise and its stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The size of the enterprise is a design factor that describes the scale or magnitude of an enterprise’s information and technology activities in terms of aspects such as number of employees, customers, locations, products, services, processes, systems, data, etc. The size of the enterprise influences the governance and management of information and technology in terms of the level of complexity, diversity, variability, standardization, centralization, decentralization, etc., that are required for its information and technology activities. The key benefit of considering the size of the enterprise when designing governance is targeting capability levels of governance and management objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By considering the size of the enterprise when designing governance, an enterprise can target capability levels of governance and management objectives that are appropriate for its scale and magnitude of information and technology activities. This will also help to optimize its information and technology performance and value delivery12 References: 1: COBIT 2019 Design Guide: page 47-48 2: COBIT 2019 Process Assessment Model: page 11-13

The strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six strategy archetypes defined in COBIT 2019: customer intimacy, product leadership, operational excellence, compliance-driven, data-driven, and innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The best approach when determining which strategy archetype most closely aligns with an enterprise’s own strategy is to select the one that reflects the enterprise’s information and technology risk profile, which is another design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. By selecting the strategy archetype that matches the risk profile, an enterprise can ensure that its governance framework is appropriate for its context and objectives5 References: 5: COBIT 2019 Design Guide, page 35-39 : COBIT 2019 Design Guide, page 41-43

The information security function within the IT corporate structure is responsible for classifying information using an agreed-upon classification scheme for a new data collection system. According to the COBIT 2019 Implementation Guide, information security is one of the key enablers of IT governance and management, and it includes the processes and practices for ensuring the confidentiality, integrity, and availability of information assets. One of the activities of information security is to define and implement an information classification scheme that categorizes information based on its sensitivity, criticality, and value to the enterprise. This scheme helps to determine the appropriate level of protection and controls for different types of information, especially for new data collection systems that may involve personal or sensitive data. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 15 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 62 .