Using FLOSS to Implement COBIT for I&T Governance

Free/libre open source software (FLOSS) can be used to achieve greater freedom along with vendor independence and financial benefits in enterprise software portfolios. Often referred to as FOSS or F/OSS,¹ open source software is a critical driver for digital transformation initiatives.² Ninety-nine percent of Fortune 500 companies have already adopted FLOSS, and more than 59 million developers are contributing to an open source project.³ FLOSS infrastructure components include cutting-edge operating systems, web servers, database systems, data science, machine learning frameworks, data governance and security. Recent research suggests that FLOSS adoption adds billions of euros annually to the European economy.⁴

However, FLOSS may also have deployment costs (e.g., consulting, development) and carry risk related to copyright issues, security, lack of warranty, and financial and legal damages, which must be addressed by effective information and technology (I&T) governance.⁵ The growth of FLOSS requires new guides “for the correct selection of FLOSS to help IT managers make appropriate decisions for organizations, define policies for FLOSS adoption”⁶ and assist FLOSS auditing processes.

There are FLOSS solutions available that can be used for implementing IT governance using the COBIT^® framework.⁷ The FLOSS for IT governance matrix (FLOSS4ITGOV) is proposed to guide organizations in developing their FLOSS strategies. FLOSS4ITGOV describes how a selection of FLOSS aligns with COBIT activities and its 40 governance and management objectives. IT practitioners may use it as a first step to redesign their IT governance strategy and infrastructure.

FLOSS and Governance: Establishing the Link

FLOSS governance has been an essential topic of research⁸—such as with the Evaluation Framework for Free/Open souRce projecTs (EFFORT) proposal.⁹ Moreover, several FLOSS projects (e.g., Git, Arch Linux, Django, Odoo Community Association, OpenStack) have made their governance documents available.¹⁰ Nevertheless, the relationship between FLOSS and IT governance is bidirectional.

FLOSS can also support the organizational adoption of prominent governance frameworks such as COBIT, structured according to its five domains:

1. Evaluate, Direct and Monitor (EDM)
2. Align, Plan and Organize (APO)
3. Build, Acquire and Implement (BAI)
4. Deliver, Service and Support (DSS)
5. Monitor, Evaluate and Assess (MEA)¹¹

Each domain is divided into a number of objectives to guide organizational strategies, further divided into practices and further distilled into more than 1,000 activities.

There are numerous FLOSS solutions with the potential to support relevant areas of governance. A good starting point to search for solutions is through online portals¹² organized by category. For example, there are FLOSS options for risk management (e.g., Open Source Risk Engine [ORE]), security (e.g., Mailvelope, Snort) and infrastructure monitoring (e.g., Wireshark, Zabbix). The number of categories available is vast.

There are FLOSS solutions that focus on IT management (e.g., open source service management), which allow for managing incidents/requests, creating forms, defining service-level agreements (SLAs) and delivering enhanced customer experiences. There are also open governance, risk and compliance (GRC) solutions such as Eramba.

However, no single solution supports all COBIT activities. It is useful for management to consider integrating more than one FLOSS if an organization’s business requires it.

Examples of FLOSS for IT Governance

In this research, 35 FLOSS applications were selected using a snowball approach until all 40 COBIT objectives were represented with at least one FLOSS tool.

Figure 1 indicates how many COBIT activities each FLOSS can support (e.g., assisting activity planning, execution or audit). Examples include document management (e.g., Alfresco), risk (e.g., Open Source Risk Engine), infrastructure (e.g., Proxmox, database management systems), enterprise architecture (e.g., Archimate) and communication (e.g., Issabel). Most FLOSS solutions address a restricted number of COBIT activities; however, more comprehensive software packages support, directly or indirectly, nearly 50 percent of COBIT activities.

COBIT: FLOSS Coverage Analysis

COBIT allows a capability evaluation, and each activity is related to a specific capability level.¹³ The average level of capability by FLOSS (using as a reference all the COBIT activities covered) is illustrated in figure 2.

An analysis of the value of the average capability level of the evaluation sample indicates that approximately 52 percent of the FLOSS applications have an average level below 3.0 (e.g., Apache Open Office, at 2.66, corresponds to an average value, which fits nicely in traditional office automation tools). The entire sample of FLOSS solutions has an average capability level of 3 (2.98), and only 8 percent can support the organization to reach level 4 activities.

The most prevalent maturity results in the sample may be due to a natural tendency by the market to create FLOSS solutions that are useful to the greatest possible number of organizations.

The most prevalent capability results in the sample (level 3) may be due to a natural tendency by the market to create FLOSS solutions that are useful to the greatest possible number of organizations. Therefore, support for higher capability levels (e.g., level 4, with few FLOSS tools at this level) may require other solutions or specific development projects. One of the FLOSS applications reaching a higher capability level is Anaconda, which targets an emerging need for organizations with advanced data processing (data science). However, there is a good solution for shifting lower COBIT capability levels (e.g., improving from level 2 to 3).

FLOSS can be a valuable solution for free IT governance strategies, particularly for transitioning from low capability levels to mid-range values.

The FLOSS-Enabled COBIT Matrix

Figure 3 shows an extract of the FLOSS4ITGOV matrix to assist organizations in their FLOSS deployment strategy for IT governance. The FLOSS4ITGOV matrix shows the percentage of COBIT activities covered by FLOSS, aiming to assist decision-making in FLOSS selection and auditing. Its creation was an iterative process. First, the researchers conducted an online search for FLOSS suitable to the 40 governance and management objectives included in COBIT. Second, the FLOSS support was reviewed for the more detailed COBIT activities. The process continued until all 40 governance and management objectives had at least one associated FLOSS. Finally, the percentage of activities covered in each line was calculated.

Figure 3 shows the percentage coverage of activities for each COBIT governance and management objective. At the top are FLOSS applications (e.g., Alfresco, Anaconda) that make up the analysis sample. The colors presented in each cell are associated with the percentage of COBIT activities covered, for example:

• Red is used to represent lower values.
• Yellow is used for values between 8 and 30 percent.
• Light green represents values between 30 percent and 50 percent.
• Green represents values between 50 percent and 100 percent of activities covered for the specific governance and management objective.

The 40 governance and management objectives in COBIT can be supported by at least one FLOSS. However, only a minority reach very high coverage percentages, such as DSS02 Managed service request and incidents. Therefore, organizations should combine different FLOSS solutions to reach their desired governance goals according to the target capability level suggested by the COBIT design factors.¹⁴ The results highlight the potential of FLOSS to enrich IT governance practices and audit in the organization.

Conclusion

This pioneering study of FLOSS to support IT governance with COBIT identifies an initial list of FLOSS tools that support COBIT and proposes a new matrix: FLOSS4ITGOV. FLOSS can be a valuable solution for free IT governance strategies, particularly for transitioning from low capability levels to mid-range values (level 3). However, the FLOSS list is dynamic, and more FLOSS applications can be added in the future. Organizations can use the proposed matrix to identify a tailored FLOSS road map aligned with their COBIT assessments. Developers can use FLOSS4ITGOV to identify improvements for COBIT support and new FLOSS development opportunities for I&T governance. For example, auditors can use the FLOSS4ITGOV matrix to identify the FLOSS tools that can support COBIT activities for the audited organization’s business, to ascertain the percentage of coverage of activities offered to determine FLOSS integration and, finally, to suggest free solutions for I&T governance improvements.

Editor’s Note

A full version of the FLOSS4ITGOV matrix is available at https://www.doi.org/10.17632/cffb8r77vh.1.

Endnotes

¹ TechTarget Contributor; “Free and Open Source Software (FOSS) or Free/Libre Open Source Software (FLOSS),” June 2008, https://www.techtarget.com/whatis/definition/Free-and-open-source-software-FOSS-or-free-libre-open-source-software-FLOSS
² Forrester, Seize The Open Source Opportunity Through Comprehensive, Optimized Strategies, USA, April 2021, https://www.openlogic.com/sites/default/files/pdfs/perforce-forrester-report.pdf
³ Ahlawat, P.; J. Boyne; D. Herz; F. Schmieg; M. Stephan; “Why You Need an Open Source Software Strategy,” Boston Consulting Group, 16 April 2021, https://www.bcg.com/publications/2021/open-source-software-strategy-benefits
⁴ European Commission, “Commission Publishes Study on the Impact of Open Source on the European Economy,” 6 September 2021, https://digital-strategy.ec.europa.eu/en/news/commission-publishes-study-impact-open-source-european-economy
⁵ Harutyunyan N.; A. Bauer; D. Riehle; “Industry Requirements for FLOSS Governance Tools to Facilitate the Use of Open Source Software in Commercial Products,” Journal of Systems and Software, vol. 158, December 2019, https://www.sciencedirect.com/science/article/pii/S0164121219301578
⁶ Sánchez V.; P. Ayuso; J. Galindo; D. Benavides; “Open Source Adoption Factors—A Systematic Literature Review,” IEEE Access, vol. 8, 8 May 2020, https://ieeexplore.ieee.org/document/9089866
⁷ ISACA^®, COBIT^® 2019 Framework: Governance and Management Objectives, USA, 2018, https://www.isaca.org/resources/cobit
⁸ Harutyunyan N.; Open Source Software Governance: Distilling and Applying Industry Best Practices, Ernst Denert Award for Software Engineering 2020, Springer Cham, Switzerland, 2022
⁹ Aversano L.; M. Tortorella; “Quality Evaluation of Floss Projects: Application to ERP Systems,” Information and Software Technology, vol. 55, iss. 7, July 2013, https://www.sciencedirect.com/science/article/abs/pii/S0950584913000311
¹⁰ Zotero, Foss Governance, “Group Libraries, Foss Governance,” https://www.zotero.org/groups/2310183/foss_governance/items/BQXBV4MC/item-list
¹¹ Op cit ISACA
¹² Harvey, C.; “Open Source Software: Top 59 Sites,” Datamation, 23 February 2011, https://www.datamation.com/open-source/open-source-software-top-59-sites/
¹³ Op cit ISACA
¹⁴ ISACA, COBIT^® Design Guide: Designing an Information and Technology Governance Solution, USA, 2018, https://www.isaca.org/resources/cobit

LAURA JAIME

Is an informatics engineer. Her past experience includes deploying free/libre open source software (FLOSS) in two private universities in Angola. She is currently researching FLOSS solutions for IT governance, focusing on COBIT^®.

JOÃO BARATA

Is an assistant professor at the Department of Informatics Engineering, Faculty of Science and Technology of the University of Coimbra (Combria, Portugal). He is also a researcher at the Centre for Informatics and Systems of the University of Coimbra and was invited to join the Polytechnic Institute of Coimbra in 2016 as assistant professor of information systems (IS). Barata has 22 years of experience as an IS consultant and has worked with more than 300 public and private organizations in Africa, Europe and the United States. His main research interests are IS, digital transformation, IT governance, business process management, supply chain management and Industry 4.0/5.0.