Configuration Management: Using COBIT 5 provides a clear and concise walk-through of the configuration management process and associated threats, mitigation actions, COBIT 5 enablers and other useful information. It is based on the COBIT 5 enabling process BAI10 Manage configuration and includes MEA01 Monitor, evaluate and assess performance and conformance, specifically for configuration management. This latter enabling process is useful in that it includes some customized activities to perform periodic evaluations of the configuration management performance.
Albeit brief, the book is a useful resource for those involved in an organization that is establishing configuration management practices following the COBIT 5 approach. The book is also a great resource for IS auditors embarking on an audit of configuration management as it lists the threats associated with configuration management, mitigating actions and COBIT 5 enabling processes.
The book outlines the benefits of configuration management, including managing the design and development of a configuration management database based on the seven COBIT 5 enablers:
- Principles, policies and frameworks
- Processes
- Organizational structures
- Culture, ethics and behavior
- Information
- Services, infrastructure and applications
- People, skills and competencies
One particularly useful chapter in the book (chapter 2) explains a configuration management model and includes some excellent information that should be included in such a model. A configuration management model should include:
- Purpose and scope of the model
- Goals and capabilities of the enterprise in relation to configuration management
- Standards
- Terminology
- Configuration items and related attributes
- Definition of services with configuration items and their relationships
- An establishment of the criticality of configuration items
- Interfaces, measurements and controls
Included are a couple of chapters outlining the common risk factors and threats related to configuration management, and these are linked to mitigating actions. Such threats include uncontrolled maintenance of configuration items, confusion on the definition and terminology used in configuration management, and implementation challenges for configuration management. The mitigating actions outlined in chapter 5 are useful pointers for those wanting to implement or improve their configuration management practices or for IS auditors who want some tips on what to look for when assessing configuration management. Some of the mitigating actions or controls outlined in the book are:
- Ensuring there is a clear configuration management strategy in place that is linked to the overall governance model
- Ensuring configuration management is clearly defined and the process is clear before embarking on an automation strategy for configuration management
- Establishing clear policies and procedures
- Formalizing a process to request emergency changes
Chapter 6 explains how the COBIT 5 Process Assessment Model (PAM) can be applied to the configuration management process. The list of key performance indicators and metrics that can be used to assess the performance of configuration management is particularly beneficial to readers.
This book covers all aspects related to configuration management and can be used effectively in conjunction with ITIL resources. The book provides some good points for IT managers, configuration managers and IS auditors to consider when implementing or evaluating the configuration management model, including policies and metrics related to configuration management.
Editor’s Note
Configuration Management: Using COBIT 5 is available from the ISACA Bookstore. For information, visit www.isaca.org/bookstore, contact Support or call +1.847.660.5650.
Reviewed by Diana M. Hamono, CISA, CGEIT, COBIT 5 Foundation
Who is an executive director in the governance, risk and assurance team at Synergy Group in Canberra, Australia, and a past president of ISACA’s Canberra Chapter.