A COBIT 2019 Use Case: Financial Institutions in Georgia

COBIT is a framework created by ISACA for IT management and IT governance. Enterprise governance of information and technology (EGIT) is an integral part of corporate governance that:

• Oversees the definition and implementation of processes, structures and relational mechanisms, as directed by the board
• Enables both business and IT people to execute their responsibilities in support of business/IT alignment
• Enables creation of business value from I&T-enabled business investments

Fundamentally, EGIT is concerned with value delivery from digital transformation and the mitigation of business risk that results from digital transformation.

Figure 1: Value Creation

Figure 2: Separating Governance and Management

Governance
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

Management
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

Governance and Management Objectives
The COBIT 2019 core model consists of 40 governance and management objectives grouped under the five domains:

• Evaluate, Direct, Monitor (EDM)
• Align, Plan, Organize (APO)
• Build, Acquire, Implement (BAI)
• Deliver, Service and Support (DSS)
• Monitor, Evaluate, Assess (MEA)

Figure 3: COBIT Core Model

Process Capability Levels
COBIT supports a CMMI-based process capability scheme. The process within each governance and management objective can operate at various capability levels, ranging from 0 to 5. The capability level is a measure of how well a process is implemented and performing. Figure 5 depicts the model, the increasing capability levels and the general characteristics of each.

Figure 4: Capability Levels for Processes

Rating Process Activities
A capability level can be achieved to varying degrees, which can be expressed by a set of ratings. Less formal methods (often used in performance-improvement contexts) work better with a larger range of ratings, such as the following set:

• Fully—The capability level is achieved for more than 85 percent.
• Largely—The capability level is achieved between 50 percent and 85 percent.
• Partially—The capability level is achieved between 15 percent and 50 percent.
• Not—The capability level is achieved less than 15 percent.

Focus Area Maturity Levels
Sometimes a higher level is required for expressing performance without the granularity applicable to individual process capability ratings. Maturity levels can be used for that purpose. COBIT defines maturity levels as a performance measure at the focus area level, as shown in figure 6.

Figure 5: Maturity Levels for Focus Area

IT and Cybersecurity Requirements for Commercial Banks in Georgia
Commercial banks operating in Georgia are required to follow a cybersecurity management framework approved by the National Bank of Georgia (NBG). The regulation is taken directly from the NIST Cyber Security Framework (NIST CSF) and includes the following domains: identify, protect, detect, respond, and recover.

Furthermore, commercial banks are required to provide third party assurance, undergoing an annual independent compliance audit and to share the audit report with the NBG. The banks are required to provide the following:

• Audit report on the compliance with the NBG CSF (NIST CSF) requirements
• Penetration testing results
• Compliance with the SWIFT Customer Security Controls Framework (CSCF)
• IT audit report in compliance with the international frameworks

Commercial banks are required to implement NIST CSF controls while they are free to choose IT governance and management frameworks.

A Georgia Use Case
One of the commercial banks in Georgia, representing the regional bank, approached us to provide third party assurance on the NBG’s regulations. During the project planning phase, we decided to go with the COBIT framework for the IT audit component, as the bank had no specific preference related to the assessment criteria. COBIT is powerful tool when one has to deal with different standards and frameworks (like ISO 27001, NIST CSF, ITIL, etc.).

The bank had not implemented the COBIT framework and, therefore, assessing it against the criteria created some limitations. More precisely, ideally, an organization would start with the COBIT 2019 design and scoping tools, set target capability levels, and implement the framework. Afterwards, assessment would be done to measure whether the organization had achieved set capability levels.

Given the absence of the preliminary controls and metrics, based on professional judgement and references from the “COBIT 2019 Governance and Management Objectives,” targeted capability levels were set and assessment was done against those metrics.

Scoping
Based on the preliminary work, several major topics were analyzed to propose a detailed plan for the project. These topics cover the following areas:

• Governance Domain—Evaluate, Direct and Monitor (EDM)
• Management Domain—Deliver, Service and Support (DSS)

The rationale behind the scoping above mentioned domains were:

1. Enterprise architecture – The client commercial bank was an independent bank operating in Georgia; however, the majority of IT services were provided by the mother company in other country. While the mother company served as a service provider to the Georgian branch, the branch was not fully capable of leveraging or controlling the service provider. Hence, given the circumstances, the assessor considered the governance domain to be a crucial prerequisite of the effective IT processes in the client commercial bank in Georgia.
2. Existing IT processes – The client commercial bank in Georgia was mainly responsible for running IT processes managed centrally by the mother company (bank) in the other country. There were different DSS processes implemented in the client bank in Georgia, and hence, it was considered by the assessor to be included in the scope of the assignment.

Assessment results
To capture the results of the assessment in an easy-to-understand manner, the report included standard bar charts with the two key elements – expected capability level vs. current capability level. For the top management and executives of the organization, this format is well known and creates less room for ambiguity and uncertainty.

The initial project (year 1 assessment) included Governance (EDM) and Management (DSS) domains, which allowed the client bank to lay a foundation for a better enterprise governance of IT while improving current IT operations.

Figure 6: Example of EDM Results (not actual data)

Figure 7: Example of EDM Results (not actual data)

 

For the purposes of this assignment:

• Expected capability levels were defined by the assessor for each process (control).
• Each process (control) was evaluated on the scale of compliance:

1. 1. Not achieved
   2. Partially achieved
   3. Largely achieved
   4. Fully achieved

The capability level was achieved if all the processes were largely or fully achieved. Transferring those criteria in an Excel spreadsheet (with the help of some formulas) resulted not only in the gap assessment report but also a roadmap for improvement. More precisely, it was easily identifiable which processes represented “quick wins” for the management to close the gaps shown on the charts. 

DSS06	Managed Business Process Controls	DSS06.05	Ensure traceability and accountability for information events.	1. Capture source information, supporting evidence and the record of transactions.	Largely Achieved	2	Achieved
DSS06	Managed Business Process Controls	DSS06.05	Ensure traceability and accountability for information events.	2. Define retention requirements, based on business requirements, to meet operational, financial reporting and compliance needs.	Largely Achieved	3	Not Achieved
DSS06	Managed Business Process Controls	DSS06.05	Ensure traceability and accountability for information events.	3. Dispose of source information, supporting evidence and the record of transactions in accordance with the retention policy.	Partially Achieved
DSS06	Managed Business Process Controls	DSS06.06	Secure information assets.	1. Restrict use, distribution, and physical access of information according to its classification.	Largely Achieved	2	Achieved
DSS06	Managed Business Process Controls	DSS06.06	Secure information assets.	2. Provide acceptable use awareness and training.	Largely Achieved

Benefits of COBIT 2019 for Georgian Commercial Banks
As described above, the four parallel assessments (NIST CSF, Penetration Testing, SWIFT CSCF, COBIT 2019) were done for the same commercial bank to ensure compliance with the NBG’s regulations. When planning the assignment, the objective was to have less overlap in the assessment components and to simplify tracking of the findings and recommendations for the client. For that purpose, we used the COBIT-NIST CSF mapping matrix, making sure that one control was tested one time but documented in the respective reports. This allowed not only clear communication, but also saved time and human resources on both sides (by approximately 20 percent).

Proposed benefits of COBIT 2019 can also be true for other commercial banks in Georgia. Given the nature of the regulations, COBIT-NIST CSF mapping could be useful for audit companies and their clients as well. The mapping allows clear reference to clients’ actual controls (sometimes it may also be derived from other standards and frameworks) and regulatory requirements.

About the author: David Shavgulidze, CISA, CISM, is an IT/IS Audit professional with nine years of practical experience in auditing eGovernment systems, Critical Information Infrastructure (CII) and management information systems. He has been involved in multiple international projects in cooperation with the Supreme Audit Institutions (SAIs) - US Government Accountability Office (GAO), SAI¹ India, SAI Poland, SAI Portugal, SAI Brazil, SAI Germany, NAO Sweden, NAO Australia, SAI Montenegro etc. He has experience in building IT audit, digital transformation and information security teams from scratch and managing change across organizational units, as well as experience in investigating corporate cyber espionage and fraud cases.

¹ Supreme Audit Institution, also referred as National Audit Office or State Audit Office.