Tips for Understanding the COBIT 5 Enabler of Process

The concept of process improvement has been around for centuries. Some of the earliest efforts to improve the efficiency of work began during the Industrial Revolution in the US and Europe. Eli Whitney¹ observed how much work was needed to remove cotton seeds from the boll by hand and invented a machine to automate the process in 1793. Fast forward to 1911 when Fredrick Taylor² published The Principles of Scientific Management, in which he proposed that optimizing and simplifying jobs would yield greater productivity. In 1987, the first version of the International Organization for Standardization (ISO) ISO 9000 standard for quality management was introduced.

Process management, performed with an eye toward quality in product and service delivery, are at the heart of the Deming Prize, the Malcolm Baldridge National Quality Award and the European Foundation for Quality Management (EFQM) Excellence Award, all of which grew out of the Total Quality Management movement of the 1980s. These examples are cited not as a history lesson, but as an argument asserting that the successful achievement of an organization’s strategic objectives is impacted by the performance of its people and its processes. An organization that practices quality management deploys defined, controlled, repeatable and measurable processes in a systemic way to guarantee that organized activities happen the way they are planned. This concept is at the heart of the Plan-Do-Check-Act model for continuous improvement credited to Dr. W. Edwards Deming.³

An organization that practices quality management deploys defined, controlled, repeatable and measurable processes in a systemic way to guarantee that organized activities happen the way they are planned.

Processes and the associated detailed procedures are what we develop, document and then use to enable people to perform their work in a consistent and repeatable manner. Processes are often thought of as the “what to do” and generally define the roles required to perform the process. A procedure is often the “how to do it” and generally defines the single role that will perform the procedure. While process is often described as one leg of the people-process-technology triad, it may also be considered the glue that unifies the other aspects to achieve organizational objectives.

It is essential when organizing a functional discipline that each function be established in an orderly way that can be measured and controlled. Otherwise, why do it? Change for the sake of change or to comply with a new compliance mandate rarely results in significant improvement or business benefit. Setting a process improvement objective that is tied to improved capability to manage risk, increased efficiency in managing incidents, lowered numbers of controls implemented or other business benefit sets the context for the change efforts.

Processes may include tools, methods, technology, people and practices to achieve goals in an ordered way. ISACA defines process as an interrelated set of cross‐functional activities or events that result in the delivery of a specific product or service to a customer. The activities defined in a process are generally aided by a reference model such as COBIT 5, ITIL or the CERT Resilience Management Model (CERT-RMM) and may also reference the appropriate compliance guidelines, standards or regulations that have to be considered when performing the process.

When deciding the appropriate process areas to focus on for the process definition or improvement, consider areas:

• That may be causing “pain”
• In which the organization needs to develop competency
• That align with regulatory or industry initiatives
• That align with organizational objectives or other initiatives
• That support other process improvement initiatives such as Six Sigma

As you think about the time and effort needed to develop a process, ask yourself the following questions:

• Is the process important to the achievement of business goals or committed service level agreements (SLAs) with customers?
• Is there only one person who knows how to do the task?
• Do many people perform the task or is the task a shared responsibility?

If the answer to any of these questions is yes, then a defined process is needed. The benefits of using processes, especially for information security, incident handling and risk management activities, include:

• A picture is worth a thousand words. For example, showing someone the path of personally identifiable information (PII) as it flows through a third-party cloud in a visual process map is invaluable in demonstrating and communicating the risk that needs to be managed. This can enhance organizational agility to respond to changing business circumstances.
• Having a defined process for a shared task means that all who perform the activity do so in a consistent and high-quality way. This is especially important for tasks that need to be performed by staff with different experience levels to deliver a consistent and superior product or level of customer service.
• A defined process provides the means to control the variation in the delivery of a service or product. Policies or standards that are important to the organization can be designed into the process so that conformance is inherent in the delivery of the process. This is especially important to enhance knowledge transfer and integrate new members of the team faster.
• Productivity is increased when all who perform the process have a standard way to do so. This avoids rework and can be especially critical if the organization is considering outsourcing some of its current processes to a supplier or expanding organizational services in another geographic region.

However, before you can use processes to achieve the stated benefits, the process must be defined, documented and available in a process asset library for all to use. Here are some tips for getting started with defining a process:

1. What is the reason for performing the process? The process definition should be defined along with the scope and activities that occur in the process along with the roles responsible for performing the tasks.
2. What are the inputs needed to perform the process and what are the outputs, or work products, that are generated by the process? This is where a common language and taxonomy of terms can be used to standardize the descriptors and provide a common understanding across the organization.
3. What does the process look like? A graphical depiction of the process activities is critical. The graphic may also include a map of the roles, both internal and external, that are required to perform the process.
4. What are the controls, policies, standards or guidelines that must be considered when performing the process? This can be used to determine if the process is as efficient as it could be or demonstrate an excessive buildup of controls that has occurred over time. It will also help in understanding if the process is aligned with the organizational policies that are expected to be carried out by the process.
5. What conditions, or dependencies must be performed before beginning a process? And what requirements must be met before ending the process? This provides a double check that the process as defined matches the process as performed in practice.

For those organizations that are looking to break down silos in functional areas, taking a process approach is often a foundational step. Process integration, or convergence, relies on a set of integrated processes and procedures that support the delivery of a product or service so that a holistic view of the business outcomes drives the work. A defined process provides a means to establish a baseline from which to measure the implementation or institutionalization of the current process. Once the processes are repeatable, they can be measured. Once they are measureable, they can be assessed for improvement. The defined process provides a road map for specific areas of improvement in the context of the organization’s business objectives and unique risk environment.

Lisa Young, CISA, CISM

Is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

Endnotes

¹ Eli Whitney, 1765-1825, was a US inventor best known for inventing the cotton gin. Eli WitneyMuseum and Workshop
² Frederick W. Taylor, 1856-1915, was a US engineer and inventor who is considered the father of scientific management. Encyclopaedia Britannica
³ W. Edwards Deming, Ph.D., 1900-1993, was a US statistician, engineer, author and consultant. The W. Edwards Deming Institute