Scribd
Upload
11 views12 pages

A4 Cobit

The document outlines an assignment on Information Security Governance and Management, focusing on understanding enterprise strategy, goals, risk profiles, and IT-related issues. It details the governance system design process, including the assessment of threats, compliance requirements, and the role of IT within the organization. The assignment is structured into sections that guide the determination of governance objectives and the conclusion of the governance system design.

Uploaded by

Ahmed Alsayeh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views12 pages

A4 Cobit

The document outlines an assignment on Information Security Governance and Management, focusing on understanding enterprise strategy, goals, risk profiles, and IT-related issues. It details the governance system design process, including the assessment of threats, compliance requirements, and the role of IT within the organization. The assignment is structured into sections that guide the determination of governance objectives and the conclusion of the governance system design.

Uploaded by

Ahmed Alsayeh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Special Topics in Information Security 1

Information Security Governance & Management

-Taught by Dr. Qutaiba Albluwi –

Assignment #4
Group members:
Ahmad Alsayeh
Dana Al-Taher
Laith Taani

Date: May 1st,2025

Page 1 of 12
Table of Contents
Section 1: Understand the Enterprise Context and Strategy ...................................................... 3
Section 1.1: Understand the Enterprise Strategy .................................................................... 3
Section 1.2: Understand the Enterprise Goals ........................................................................ 3
Section 1.3: Understand the Risk Profile ............................................................................... 3
Section 1.4: Understand I&T Related Issues ......................................................................... 4
Section 2: Determine the Initial Scope of the Governance System ........................................... 5
Section 2.1: Consider the Enterprise Strategy ........................................................................ 5
Section 2.2: Consider the Enterprise Goals and Apply COBIT Goals Cascade .................... 5
Section 2.3: Consider the Risk Profile of the Enterprise........................................................ 5
Section 2.4: Consider the I&T Related Issues........................................................................ 6
Section 2.5: Summary ............................................................................................................ 6
Section 3: Determine the Initial Scope of the Governance System ........................................... 8
Section 3.1: Consider the Threat Landscape .......................................................................... 8
Section 3.2: Consider Compliance Requirements .................................................................. 8
Section 3.3: Consider the Role of IT ...................................................................................... 8
Section 3.4: Consider the Sourcing Model for IT .................................................................. 8
Section 3.5: Consider IT Implementation Methods ............................................................... 9
Section 3.6: Technology Adoption Strategy .......................................................................... 9
Section 3.7: Consider Enterprise Size .................................................................................... 9
Section 3.8: Summary ............................................................................................................ 9
Section 4: Conclude the Governance System Design ................................................................ 8
Section 4.1: Resolve Inherit Conflict ................................................................................... 10
Section 4.2: Conclude the Governance System Design ....................................................... 12

Page 2 of 12
Section 1: Understand the Enterprise Context and Strategy

Section 1.1: Understand the Enterprise Strategy

Ref Strategic Goal


SG1 Maintain a diversified set of products.
SG2 Enhance customers’ remote digital experience.
SG3 Introduce in-house FreshJo pastries and desserts instead of depending on local vendors.
SG4 Optimize technology utilization within branches and drive-through operations.
SG5 Expand social media presence with modern marketing strategies.

Section 1.2: Understand the Enterprise Goals

Relevant Strategic
EG Number BSC EG Description
Goal
EG01 Financial Portfolio of competitive SG1, SG3
products and services
EG03 Financial Compliance with external SG2, SG4
laws and regulations
EG05 Customer Customer-oriented service SG1, SG2
culture
EG06 Customer Business service continuity SG4
and availability
EG09 Internal Optimization of business SG3
process costs
EG13 Growth Product and business innovation SG5

Section 1.3: Understand the Risk Profile

Reference Risk Category


1 IT investment decision making, portfolio definition and maintenance
2 Program and projects lifecycle management
4 IT expertise, skills and behavior
6 IT operational infrastructure incidents
11 Logical attacks (hacking, malware, etc.)
12 Third party/supplier incidents
13 Noncompliance

Page 3 of 12
Section 1.4: Understand I&T Related Issues

Reference Description
C Significant IT-related incidents, such as data loss, security breaches, project
failure and application errors, linked to IT
E Failures to meet IT-related regulatory or contractual requirements
F Regular audit findings or other assessment reports about poor IT performance
or reported IT quality or service problems
H Duplications or overlaps between various initiatives, or other forms of wasted
resources
I Insufficient IT resources, staff with inadequate skills or staff
burnout/dissatisfaction
J IT-enabled changes or projects frequently failing to meet business needs and
delivered late or over budget

Page 4 of 12
Section 2: Determine the Initial Scope of the Governance
System

Section 2.1: Consider the Enterprise Strategy

No actions need to be taken.

Section 2.2: Consider the Enterprise Goals and Apply COBIT Goals
Cascade

Strategic Goals Enterprise Goals Alignment Goals Governance and Management


(SDGs) (EGs) (Ags) Objectives
SG1 EG01, EG05 AG03, AG05 APO05, DSS02
SG2 EG03, EG05 AG01, AG05 MEA03, DSS02
SG3 EG01, EG09 AG03, AG09 APO05, BAI11
SG4 EG03, EG06 AG01, AG07 MEA03, APO13, DSS03
SG5 EG13 AG13 APO04, APO02

Section 2.3: Consider the Risk Profile of the Enterprise

Reference Risk Category Governance and Management


Objectives with Value 4
1 IT investment decision making, portfolio APO05
definition and maintenance
2 Program and projects lifecycle BAI01, BAI11
management
4 IT expertise, skills and behavior APO03
6 IT operational infrastructure incidents DSS01
11 Logical attacks (hacking, malware, etc.) APO13, DSS02, DSS04, DSS05
12 Third party/supplier incidents APO10
13 Noncompliance MEA03

Page 5 of 12
Section 2.4: Consider the I&T Related Issues

Reference Description Governance and Governance and


Management Management
Objectives with Objectives with
Value 3.5 Value 4
C Significant IT-related incidents, APO03 DSS02, DSS05
such as data loss, security breaches,
project failure and application
errors, linked to IT
E Failures to meet IT-related None MEA03
regulatory or contractual
requirements
F Regular audit findings or other None MEA04
assessment reports about poor IT
performance or reported IT quality
or service problems
H Duplications or overlaps between EDM04, APO05 None
various initiatives, or other forms of
wasted resources
I Insufficient IT resources, staff with EDM04 APO07
inadequate skills or staff
burnout/dissatisfaction
J IT-enabled changes or projects APO03, BAI01, BAI11
frequently failing to meet business BAI02
needs and delivered late or over
budget

Section 2.5: Summary

Governance Relevant Design Factors


and
Management
Objectives
EDM04 I&T Related Issues
APO02 Enterprise goals, Risk profile
APO03 Risk profile, I&T Related Issues
APO04 Enterprise goals
APO05 Enterprise goals, I&T Related Issues
APO07 I&T Related Issues
APO10 Risk profile

Page 6 of 12
APO13 Enterprise goals, Risk profile
BAI01 Risk profile, I&T Related Issues
BAI02 I&T Related Issues
BAI11 Enterprise goals, Risk profile, I&T Related Issues
DSS01 Risk profile
DSS02 Enterprise goals, Risk profile, I&T Related Issues
DSS03 Enterprise goals
DSS04 Risk profile
DSS05 Risk profile, I&T Related Issues
MEA03 Enterprise goals, Risk profile, I&T Related Issues
MEA04 I&T Related Issues

Page 7 of 12
Section 3: Determine the Initial Scope of the Governance
System

Section 3.1: Consider the Threat Landscape

The selected threat landscape for FreshJo is normal.

Section 3.2: Consider Compliance Requirements

The selected compliance requirement for FreshJo is normal compliance requirements.

Governance and Management Objectives Governance and Management Objectives


with Value 3.5 with Value 4
None None

Section 3.3: Consider the Role of IT

The selected Role of IT for FreshJo is factory.

Governance and Governance and Governance and


Management Objectives Management Objectives with Management Objectives
with Value 3 Value 3.5 with Value 4
EDM03 DSS01 None
DSS02
DSS03
DSS04

Section 3.4: Consider the Sourcing Model for IT

The selected Role of IT for FreshJo is insourced.

Governance and Management Objectives Governance and Management Objectives


with Value 3 with Value 4
None None

Page 8 of 12
Section 3.5: Consider IT Implementation Methods

Not applicable.

Section 3.6: Technology Adoption Strategy

The selected Role of IT for FreshJo is follower.

Governance and Governance and Governance and


Management Objectives Management Objectives with Management Objectives
with Value 3 Value 3.5 with Value 4
APO02 None None
APO04
BAI01

Section 3.7: Consider Enterprise Size

The appropriate Enterprise Size for FreshJo is small and medium enterprise.

Section 3.8: Summary

Governance Relevant Design Factors


and
Management
Objectives
EDM03 Role of IT
APO02 Technology Adoption Strategy
APO04 Technology Adoption Strategy
BAI01 Technology Adoption Strategy
DSS01 Role of IT
DSS02 Role of IT
DSS03 Role of IT
DSS04 Role of IT

Page 9 of 12
Section 4: Conclude the Governance System Design

Section 4.1: Resolve Inherit Conflict


Objective Priority Level Justification
EDM01 low Supports a formal governance baseline, useful as FreshJo
grows and formalizes processes, even if not urgent now
EDM02 - -
EDM03 Low Helps maintain balanced governance posture despite limited
size.
EDM04 Low Relevant due to limited IT staffing and cost constraints.
EDM05 - -
APO01 low Provides structure for consistent IT processes across branches,
helping reduce duplication and support compliance goals
APO02 Medium Important to align IT with overall direction and priorities.
APO03 Medium Ensures consistent digital integration across branches (pad
systems, app).
APO04 High Strategic goal SG5 focuses on modernizing marketing and
service experience.
APO05 High Critical for tracking product/service offerings and vendor
contracts (strategic + risk + I&T issues).
APO06 - -
APO07 Low IT skills and staff burnout identified as risk factor.
APO08 - -
APO09 - -
APO10 Low External vendors (beans, pastries, delivery) present operational
dependencies.
APO11 - -
APO12 - -
APO13 High Cybersecurity is a core risk with customer data and online
orders.
APO14 - -
BAI01 Medium Needed for coordinating multi-branch initiatives.
BAI02 low Helps clarify needs before launching or improving systems like
the app, subscription tracking, or delivery coordination.
BAI03 - -
BAI04 - -
BAI05 - -
BAI06 - -
BAI07 - -
BAI08 - -
BAI09 - -
BAI10 - -
BAI11 High Project reliability is essential due to frequent delays and tech
expansion.

Page 10 of 12
DSS01 Medium Supports IT uptime and device availability across branches.
DSS02 High Digital services and order systems require reliable response
management.
DSS03 Medium Ongoing issues with service delays and complaints must be
managed.
DSS04 Low Important but less urgent due to lower threat environment.
DSS05 -
DSS06 - -
MEA01 - -
MEA02 - -
MEA03 High Tied directly to compliance with external legal and regulatory
obligations.
MEA04 Low Needed for quality audits and external service assessments.

Page 11 of 12
Section 4.2: Conclude the Governance System Design
COBIT Core Model

EDM01- Ensured
Governance EDM02- Ensure EDM03- Ensured EDM04- Ensured EDM05- Ensured
Framework Setting Benefits Delivery Risk Optimization Resource Stakeholder
and Maintenance Optimization Engagement

APO01—Managed APO03—Managed APO07—Managed


APO02—Managed APO04—Managed APO05—Managed APO06—Managed
I&T Management Enterprise Human Resources
Strategy Innovation Portfolio Budget and Costs
Framework Architecture
MEA01—Managed
Performance and
Conformance
Monitoring
APO09—Managed APO14—Managed
APO08—Managed APO10—Managed APO11—Managed APO12—Managed APO13—Managed
Service Risk Security Data
Relationships Agreements Vendors Quality

MEA02—Managed
System of Internal
BAI03—Managed BAI07—Managed Control
BAI01—Managed BAI02—Managed BAI04—Managed BAI05—Managed
Solutions BAI06—Managed IT Change
Programs Requirements Availability Organizational
Identification and Capacity IT Changes Acceptance and
Definition and Build Change Transitioning

MEA03—Managed
BAI08—Managed BAI09—Managed BAI10—Managed BAI11—Managed Compliance With
Knowledge Assets Configuration Projects External
Requirements

DSS01—Managed DSS02—Managed DSS05—Managed DSS06—Managed


Service Requests DSS03—Managed DSS04—Managed Business MEA04—Managed
Operations Security
Problems Continuity Process Controls Assurance
and Incidents Services

Page 12 of 12

You might also like