Pass Isaca COBIT 2019 Exam in First Attempt Easily

Introduction

1. Exam Information

Welcome to your exam information lecture. Please be aware that exam makes sense for you only in case you wish to obtain the official worldwide recognized certificate. For example, like mine here. Mine says Bridge because I've only transferred from previous versions, but yours will be similar. COBIT is owned by ISACA, which is an association of professionals focused on It governance. You must buy the exam and receive their certificate directly with them or one of the accredited partners like APMG or People Set and this lecture will explain how complete and detailed information are. In one of the file you have downloaded ISACA Certificate Programs Exam Guide in this file you will find all the information from this lecture and more. This guide will explain in details how to pay, book and take your exam comfortably from your home or your office. This exam guide explains two other different exams which are covered in section two and section Three, so you can skip these sections. I recommend you to read the rest of the guide where you can find, for example, requirements for your laptop and webcam and also for the room where you will be taking the exam. If you don't understand some of the instructions, don't worry. There will always be an online proctor, a person who will guide you through the whole session and will assist you. The guide also contains contact information to ISACA support in case you'd like to discuss anything prior to your exam. As I mentioned, the exam is proctored, so there will be someone to guide you once your session starts. There are always three options in the exam am or C, where only one is correct. You will have 2 hours to complete your exam and you must answer at least 49 questions correctly out of 75. You will see similar questions at the end of most sessions of this course so you can practice tithe exam is not mandatory. If you want to learn Kobe and don't need an official certificate for your employer or your CV, this course without an exam is perfectly sufficient. If you do need or want the Official Copy2019 Foundation Certificate you must pass the exam and this course contains all you need to do suit explains the topics and gives you or guide you how to download all the mandatory literature. And one last additional information which you may find useful is about the question percentage for each section. To explain it, let me remind you about our course overview and ten sections. Look at the sections two till Nine, the Framework Introductions number Two, three Principles up to Nine Implementation and here you can see percentage of questions out of the total 75 for each of these topics. This might be quite useful as you see here which sections contains the most questions. So these were the key information related to your exam. I know that exams can be a bit stressful and even scary, especially if you haven't taken any online proctored exam yet, so I would like to encourage you Togo ahead and don't worry at all, as I've done it too, so you can do it as well. And I was even pleasantly surprised at the end that it was quite smooth, fast, and almost pleasant experience. Especially when I recall the sense of victory when I passed. So this was the last info from our intersection, and I can wait to show you what exactly is COBIT in the next section the Framework Introduction.

Hide

Framework Introduction

1. Enterprise Governance of I&T

Welcome to the second section of the course, the Framework Introduction. We have completed the housekeeping and you should know now everything about the course organization, materials and the official exam. In the second section, the Framework Introduction, we will jump straight to the Cobit topic itself. I will explain what is enterprise governance and how you can cover your enterprise governance with COBIT. We will see what is the COBIT format, how does it look like, what books it consists of, and what other trainings you can get for COBIT. Firstly, let's clarify a few terms just to align our view of the world. This course category is It, which means we are going to talk about It as an It company or ant department of a company such as this picture here. For example, when I work as a service desk agent, or an architect or a software developer, I'm sitting in this It department. Now, my question is how do you call the rest of the company? In my trainings, I get sometimes really interesting answers such as the others and some other strange titles. So I'm asking for the polite title. We call them Business or the customer. So if I will be referring to the business within the course, I mean either generate businesses, a trade or a company, or the people who are not employed by the It department, liker people, finance people, marketing and so on. It is working hard to support or enable the business. It is giving value to the business by, for example, enabling everyone to communicate via videoconferences by providing video conference software, or enabling accountants to do their invoices by providing invoicing software and so on. So simple. It means It departments such awe saw It on previous picture. But when we say I and T, that refers to things related to information technology, which may not necessarily reside in an It department. What It can be, well, for example, hiring It employees relates to It, but it resides in HR or procurement of It hardware relates to It, but it might be executed by Procurement department in business, right? This is the business part of the organization. And now we can get into the Governance and COBIT topics. Let’s start with clarifying what exactly is the obscure word governance and even more obscure, enterprise governance? Unless you are part of a club of a privileged auditors or It framework geeks, you probably have no idea. Imagine that you are an owner and an executive manager of a sports fashion business such as Nike. I think everybody knows Nike, so I can use it as an example, not only due to Corona, but in general people tend to buy your clothes online instead of going to their local shops. So you need to move your business online, which means to grow, strengthen and secure It infrastructure. And especially you need to have It under controls you don't experience outages poor connectivity and lost data, causing angry customers and lost business. The way how to have your It under control, well managed, secure and strong is called Governance. Imagine governance as all the rules that you must set to your tens or hundreds of It people and the technology that they manage. Example of such rules are access rights, rule that only approved people can access client data, or rule that every request from a user must be locked in and many more. The sophisticated terminology for those rules and related activities is Enterprise Governance for Information and Technology, which means company governance for everything within the whole company that relates to It company is not only It right, the rest of the company has rules too. And it is called the corporate Governance. The EGIT is then part of this corporate governance who is setting all these rules and makes sure they are executed well, typically board of directors or a top management of each company for the overall corporate governance and the other levels of management for EGIT. I will give you an example here. I was holding a workshop for employees of big corporate company for governance implementation. I got this great question from one participant. He said well lady, this is brilliant what you are telling us here. We like all these practices and we truly need them. We have tried countless times to implement it, but people don't follow. So tell us how to do it so the people will follow. And what my answer was people, your governance is not working. If you are missing the rules or rules are not followed, it means that people in your company responsible for governance are not doing their job. Simple as that. If that happens, you are in trouble in many ways. Firstly, your It will not be under control, well managed, secure and strong. And besides, even if you are employing the best It people in the world, their effort may be wasted. Because without governance rules from the top, these brilliant people's work will not be aligned to what the business really needs. So let's summarize, why do you need governance for your Nike It department? Why do you need the rules? Well, because what we said at the beginning, your It needs to be under control. And control means properly do what your business user needs so the business user can get things done to give value. Imagine your accountant is using ant system to issue invoices. There is a governance that the invoicing system has to be operating during business hours. This is aligned with the needs of the accountants he can properly issue invoices when needed. He can work properly. This means your night company gets paid. And that's quite valuable for you as a manager and owner, isn't it? This slide contains another way to explain governance. Nike needs to transfer their business online, and it's basically undergoing digital transformation. By doing that, it will become more and more dependent on it, and that brings new risks. Why? Well, because if there is an outage or it doesn’t work in some way, the business will not work. So we need the rules, the governance, to help create value for the enterprise through It. Enabling Nike to sell online health means maintaining and increasing the value derived from existing It investments and infrastructure there, as well as eliminating those It initiatives and assets that are not creating value for them. So these are the benefits. The value that it delivers should be aligned directly with the value on which the business is focused. As we said already, the governance is there to handle the new risks that it brings for the business, the risks associated with the use, ownership, operation, involvement, influence, and adoption of it within the enterprise. It-related business risks consist of it-related events that could potentially impact the business, while the value derived before it focused on the creation of the value and benefit. Risk management focuses on the preservation of the value, so it stays there. What could be an example of risk optimization? Well, rules for recording all changes so we know what is happening in our infrastructure or rules for access right, so the risk of data breach is lower, and so on. Governance is also about ensuring the appropriate capabilities are in place to execute strategic plan and sufficient, appropriate and effective resources are there. Resource optimization ensures that integrated economical IT infrastructure is provided, new technologies introduced as required by the business, and also the obsolete system. The old ones are updated or replaced because this outcome recognized the importance of people as well. In addition to this hardware software infrastructure, it focuses on providing training, promoting retention, and ensuring competence of key IT personnel. So, besides ensuring value or benefits while optimizing risk, the Governance makes sure that Nike has the right infrastructure and people who know how to take care of It. And if you are still not convinced that Governance is quite crucial for your IT, there is another motivation for you. Other Benefits of Governance another benefit of Governance is lower It related continuity cost. Lower It related continuity cost means that your company saves money because it has less outages and therefore less loss of related productive business hours of your employees. If It works well, the company may feel secure to use new It enabled technologies in new areas. For example, you as an It manager, you are really happy with your It, you trust It and you feel safe to experiment. You may want to try an application for close eber delivery. If there's an Eber eats, why not Eber dresses? But if you spent 100% of your time handling complaints about ID outages EB addresses, or any other innovation. Don't even come to your mind. You don't even have time for this. If you have a good governance, you can be sure that investment into It are exactly what my company needs. If your IT is stable and under control because It has a good governance, of course business can trust it more. Another crazy phrase value mindset. This sentence hides a simple thing everything that It has here described as a digital asset, mainly hardware and software links to value for their business. So all these are benefits and importance of governance. And great news. You don't have to invent all the governance, all the rules for It yourself. They were invented for you and also collected from experience of successful companies and are known as COBIT. Cobit has been over 25 years on the market and is generally accepted worldwide as a framework for IT governance. It was originally designed for auditors and it is still used by auditors. But it has evolved into broader and comprehensive It governance and management framework. And here's something very important COBIT is not only for you as an owner and a manager, it can be used by anyone in It and outside It. Here you can see some examples of people within a company who can use It. Here you can see even how they use it for the business. People like boards, executive management and business managers. It is mainly about how to utilize It, so It serves us and we can do our business really well. So as an It manager, you can be sure that It is working well for you and even helps you to support your new opportunities, such as Ebird dresses for assurance providers, such as Internet quality audit or Risks department and It managers. It is mainly about having It under control and avoiding sleepless nights with coordinating outages after unauthorized changes. Also, let's give examples of people outside of the company who can use It. Here they are regulators, business partners, It vendors and the next picture shows again how they use it.These external parties, external regulators sent auditors to check whether your company fulfills their regulations, such as law. Auditors use COBIT to check whether you fulfill the law. And you as the night manager, you can use COBIT to check your potential business partners or vendors, whether the IT is secure enough and reliable for you. So, what we've already said about COBIT it's a framework for the governance and management of enterprise. It enterprise it means all the technology and information processing the enterprise puts in place to achieve its goals. Regardless of where this happened in the enterprise, corporate is aimed at the whole enterprise. In other words, enterprise. It is not limited to the It department of an organization, but certainly includes It. COBIT makes a clear distinction between governance and management. These two disciplines encompass different activities, require different organizational structures and serve different purposes. They will be covered in the next few slides. Copy defines the components to build and sustain a governance system. Until now I kept simplifying and I kept saying that governance are the rules. But that's not entirely true. Governance are also processes, organization, structures, roles, policies and even technology. These are called components of governance and we will be covering them later in this course. These last two bullets talk about design factors and governance and management objectives, which I will explain in detail later in the course. So I will not stop here and I will give you proper explanation later. Until now we talked about governance only governance are the rules. But what about management? Management is a different topic. Managers run the company, following the rules, following the governance. Even if you are the top manager, you will still be obliged to follow the governance, the rules. Let's compare these two governance and management. Let's describe governance again and then management. I will display an additional slide to explain governance activities. Nike and any other company have lots of different stakeholders, meaning parties that somewhat interact with the company, such as customers. Customers want the company to make good quality and cheap products for them. Owners want to make profit. Employees want good working conditions and salaries. Auditors want the company to follow the law and so on. Governments, represented typically by the board of directors takes those needs, processes them and decides how the company will work. It creates the rules and gives it to the management to follow. So if you are an employee, next time you have to follow a rule which you see as a nonsense or useless, be aware that they might be different company stakeholders whose needs are different than yours and he or she needs you to follow that rule. All these different stakeholder needs are evaluated by the board of directors, prioritize and directives and rules are set. It is of course monitored whether it is followed. Some organizations even establish specific departments to execute the governance, for example, security Department or Sourcing Department to manage suppliers. So this was the explanation of governance. And explanation of management is easy. This is the management just as you know it. Manage your people, plan, coordinate, make decisions and so on. And all of your work lays within the borders given by governance. We have explained the difference between governance and management in COBIT. And now we can also say what COBIT is not or where it doesn't help you. COBIT is really just for it. It doesn't cover other businesses like finance, HR, sales and it doesn't cover individual technology like Microsoft, Cisco, HP. It also doesn't tell you exactly what to do. It's just telling you which decisions should be taken, how and by whom in it. And before we completely close this lecture, let's summarize the importance of governance, not only for Nike, but for other companies as well. These days it is becoming crucially important. In the past, when companies didn't need it to operate. They could ignore the It governance. They didn't have to care whether it brings value and is not risky. It is no longer possible. Imagine Nike and a lot of other businesses are operating almost entirely online now. They are dependent on It for survival and growth. They need it to be under control, safe and efficient to support the business. Therefore, they need the rules for It to do so. They need the governance today more than ever.

2. COBIT format and product architecture

Hi. You may be wondering how COBIT looks—is it a book, software, or an article online? And how does it go together with other standards such as Italy, ISO, CMMI and others? This is what we will discuss in this lecture titled COBIT Format and Product Architecture. First, let's see how COBIT looks like. This picture here is a bit heavy. It contains a lot of parts which each one of them has a special chapter further within the course. Later we will talk about Kobe core model, design factors, focus areas, and other COBIT content. Now we will check in detail four COBIT core publications in which you can find all the Cobit content that we are studying within this course. You can see four boxes here with titles of four books. Let me displace those titles here again. First book framework, introduction and methodology you have already downloaded It explains what COBIT is and how to use it. Basically, 80% of this course is based on this book. Remaining 20% is based on framework, governance and management objectives. This book you have already downloaded. It contains core covet content such as processes, responsibilities in It, metrics for It and many more. So if you need to know how to process incidents and outages in your It, thesis called Incident Management Process Incomet. You can check this book remaining two books. The Design Guide and Implementation Guide are focused only on how to implement COBIT in your organization. They are covered by a different course, but we will explain the basics here’s you will have an idea how to implement COBIT even by completing this course. Let’s now have a look at how COBIT evolved from previous version, which was version five, and how it fits with other standards. COBIT is on the market over25 years and it keeps evolving. It's flexible and open to new content. It prescribes the governance for It, so it doesn’t have to be invented from the scratch. And it even shows you how to measure your It performance, which means how well is your It governed and managed. COBIT doesn't contradict any other framework or standard, just the opposite. It is complementary to them and it even provides references to how different Cobit parts relate to other frameworks. So if your Nike company uses ITIL already, Cobit contains links to how various COBIT areas are covered by ITIL as well, so you might not need to implement them duplicity. Here you can see a few examples of standards to which COBIT refers to. You don't have to study these standards, they are just examples. And this was the last information of this section. So let's return back to our overview slide. Congratulations. We have just completed the second section, the Framework Introduction. You now know what is the governance of It, and that COBIT is your prescription, how you should govern and manage your it. In Nike, COBIT consists of core four books from which two of them. We will cover in details within this course. This section is required for the exam and I recommend you to take the quiz at the end of this section so you have an idea how deep you need to study. If you prefer reading the topic, refer to your student guide where you can fire references to your downloaded books. Don’t get discouraged by the scientific terminology. Be aware that behind those difficult words are really simple and valuable concepts. It is same like in life. Sometimes you have to look under the surface to find the treasures. I’m looking forward to seeing you in the next section, Principal.

Hide

Principles

1. Principles

Welcome to the third section of our course the Principles. When I explain principles in trainings, I usually say imagine principles like a good advice that you should follow to be successful with your guide Governance. We differentiate two sets of principles two sets of good advice principles for Governance System and Principles for Governance Framework. You can see the two bubbles below. This will represent also two chapters within this lecture. First we will go through Principles for Governance system and then Principles for Governance Framework. What do those scientific terms mean? Let's start with the first one. I will remind you that you are the manager of Nike. And Nike does have some kind of governance system, meaning it has set of rules the way they are controlled and exact responsibilities. Again, the whole system how Nike governance is set up is called the Governance system. Kobe recommends that your governance system for I tin Nick must follow these six principles. You can see them here and we’ll explain them one by one. The first principle says that unique It governance system must be set up in a way that it provides value for its stakeholders such as customers, users, employees, government and others. Do you remember this picture? This shows that it provides value to its customers. It is the governance system in It that ensures that it is working according to certain rules that assure that the value will be there. For example, there is a rule as a part of your governance system that if a Nike accountant or any other user asks for a video conference software, he will get it installed within one day. That is a very good rule enabling users to do their work well and on time even when they get suddenly into the covet guarantee. So do you agree with me that this rule as a part of your Nike It governance system provides benefits to the users? These benefits are valuable only if the videoconference is secure and it will not be hacked by someone and it's content abused. Therefore, there will be rules in your governance system that each user will get his access approved and must protect his password. Also, the value will be there only if the resources, meaning the infrastructure where the videoconference is provided is cost efficient, not obsolete. And there are people in It who understand how to install and properly maintain it. To summarize, this unit governance system must provide value for its stakeholders and that will be provided by providing benefits while taking care of risks and properly managing resources. To recognize what exactly might be those benefits that customers and other stakeholders need might not always bias easy as the example with video conference. Therefore, COBIT helps you to detect what stakeholders need by using a concept of Go cascade. Go cascade will be explained in details in the fourth section lecture go Cascade. But the basic idea is that it describes common stakeholder needs and it translates them into exec governance rules. But watch the Gold Cascade Lecture later to find out more. Unique governance system must be holistic, meaning complete. So it shouldn't focus, for example, on processes only, or people only, or technology only. But it should focus on everything that is in your It and govern all the components, not only some of them. One of the upcoming lectures The Components of the Governance System, will explain all the components from which the Governance system consists of. Examples of such components are people, processes, technology and more. Again, why holistic or complete? I will give you an example from my own experience in the past, Kobe focused heavily on processes. Also, other It frameworks, such as Italy focused on processes as well, which is good. We need processes. These are the rules telling us what to do step by step. But imagine once I was employed and also doing consulting in a company which had nearly the best processes in It I've ever seen. They were precise, fit to the company’s size and needs, really well designed. But their It was in a mess. It struggled to deliver what they promised outages and security breaches were daily bread. I was really puzzled. And then I found out once I started working, my work involves following a process, so I've started doing it. But my colleagues and even my boss told me not to. I was arguing, but it is prescribed by the process. And they said it doesn't matter, we don't follow these. It’s okay to do it another way. It was normal for everyone in the company that processes don't have to be followed. It was part of their beliefs, part of their normal behavior. Therefore, the governance system in this company didn't work. It focused on processes, but it didn’t focus on culture and behavior. Or there could be another reason why the governance system doesn't work if the company focuses on processes, focuses on cultures well, but forget about supporting technology. So It doesn't have proper tools to help them with their governance, such as monitoring systems, service desk systems, infrastructure protection, like firewalls and so on. This means holistic covering many components that the governance system consists of and not focusing on just one. We have a separate lecture, Components of the Governance System, that explains all the governance components. Your governance system must be dynamic as well, which means that all these components people, processes, technology are interconnected. So it's obvious that if you change one, it will impact the others. So one component change requires review and maybe redesign of the other components. Governance. And It is not only about components. Also, so-called design factors lead to changes in governance. What I mean by design factors, for example, enterprise strategy or company size imagine that the company strategy changes from cost saving to growth. There will be different governance, different rules set within the company if it focused on cost saving than if it focuses on growth, right? Or if the company is small, there will be less formal processes, policies, procedures, less governance. Then later, when the company grows into a large enterprise, the governance will be changing as well. So design factors also influence how governance will be changing. We have several lectures later within the course explaining how design factors influence the governance system. COBIT strictly distinguishes between governance and management. I have explained this difference in the Framework introduction section. Governance is executed by different people and covers different activities than management. Fifth principle is called tailored to enterprise needs. Governance must be tailored based on various design factors we have discussed a moment ago. Governance system will be different for large enterprise like Nike and different for a small kindergarten size of the company Nike, or a small kindergarten. This is one of the many design factors that will be discussed later. Design factors will help you to set up your governance system. Last governance system principle is coverage end to end. We have also said that in previous section you don't apply the governance only within your It department, but anywhere in your Nike company, which has anything to do with it. This could be HR, for example, hiring people for it or finance controlling cost of it. So these are six principles that your Nike governance system must follow. Now we will move to the second chapter the Governance Framework principles. What the term means the Governance Framework principles. If you choose any governance framework, such as COBIT Qubit is a governance framework, or you can choose any other, or you can even invent your own governance framework. Why you would use a governance framework? Well, to build your governance system, to build all the rules, design people's responsibilities, the way, how all the rules will be monitored, and so on. And great news is that you can use already existing frameworks such as COBIT to build your governance system. I will explain this again. What is the governance system and governance frame work during lecture Enterprise Governance of It, we have explained that every company needs governance. By governance we mean a complete system consisting of the right processes, organizational structures, behavior, culture, technology. And we said that the company doesn't have to invent the whole system, the complete governance from the scratch. But It can use a governance framework to copy it, to use It to create their system. But it is important that your chosen governance framework follow these three principles or three good advice. Here you can see all three of them and we will explain them one by one. I don't have to emphasize that COBIT of course follows all three of them. Unique governance framework should be based on a conceptual model. This means you should have a picture of main components of your governance such as processes, technology, people and description how they are connected. For example, you always have a table with responsibilities of people for each process. Second principle for your governance framework is to be open and flexible and allow updates and adding new content. For example, COBIT has defined extra topics that are called the focus areas. Examples of currently defined focus areas are cybersecurity risks or DevOps. These are new topics that are being continuously added to covet and there will be more in the future. Whenever there is a new trend, issue or knowledge in the It world, COBIT can react by creating a new focus area to cover this change. So we can say that COBIT as a governance framework is open and flexible. Focus areas are in scope of this course and we will talk more about them later. The third and last framework principle is that it must be aligned to major standards, frameworks and regulations on the market. We can say about COBIT that it can be used together with other standards. And not only that, it can also explain or it does explain how each COBIT area is covered in other standards. You will see that in governance and management objective section and that is all we need to know about principles within this basic course. So, quick recap what we have learned in this section we recognize two sets of principles for Governance System and Principles for Governance Framework. There are six principles for a governance system. You can see them here again, and this is just a recap. So I will display this only for a moment. And there are three principles for Governance Framework. Again, there's nothing new on this slide, so this is just a quick recap. And if you apply both sets to your night company, you will be safe and live happily ever after. Don't forget to try the quiz after this section, as principles are required for the exam. I'm looking forward to seeing you in the next section, the Governance System and Components where we have a closer look on your governance system and we will finally see all its components. Until now, I just keep giving examples such as Processes and people.

Hide

Governance System and Components

1. Choosing a right Infrastructure as Code tool

Welcome to the fourth section of the course "Governance System and Components." We have several lectures here where we will cover how your governance system should look and which components form the governance system. Let's start with an explanation. What are the governance and management objectives? As an owner-manager of Nike, do you want your company to be well governed and managed? If your answer is yes, you need to fulfil a number of objectives, or we could say goals. You can see some examples here, such as ensuring risk optimization, making sure that risks within Nike are under control, or managing vendors—making sure that your suppliers are well managed so they deliver as required. COBIT defines 40 governance and management objectives. You can see all 40 of these objectives here. We have an extra section to explain each of them, so you don't need to read all of them now. For now, just notice that they are divided into five parts. The top five rectangles in the Duplo are five rectangles. The rectangle is the objective for governance. So five goals that you know a governing body must do or achieve. You can see our previous example here, the EDM three-insured risk Risk Optimization. The remaining four rectangles are for management, which means what you, as an item manager, and other managers must do, such as in our previous example, APO Ten managed vendors. Now, what are these strange codes? IDM three, APO ten. These five rectangles here have names. Let's look at another picture with their names—and let's not call them rectangles, but domains. You see, there is a dark blue domain for governance, which is called EDM, evaluate, direct, and monitor, and four domains for management: APO, align, plan, organise, build, acquire, implement, DSS, deliver, service, and support, and MEA. Monitor, evaluate, and assess. In the EDM domain, the governing body evaluates strategic options, directs the senior management on the chosen strategic options, and monitors the achievement of the strategy. The APO domain addresses the overall organization, strategy, and supporting activities for it. Bai domain is related to new services, new infrastructure, acquisitions and implementations of IT solutions, and their integration into business processes. DSS's domain addresses the operational, delivery, and support aspects of its services, including security. And finally, the MEA domain addresses performance, monitoring, and conformance with its internal performance, target, and external requirements. We have an extra section within this course called Governance and Management Objectives in which we will go to greater detail and we will explain what each domain does, what each objective contains in detail, who should do it in the company, and much more. For now, let's just add that each one of these 40 objectives contains one process, and governance objectives are the responsibility of governing bodies or boards and top management, while management objectives are the responsibility of senior and middle management. If this lecture is a bit confusing or abstract, please be patient for a moment. Once you go through the Governance and Management Objectives section of this course, this lecture will make sense. And you will find that this part of COBIT is very practical and useful. So, let's continue this description of your Nike governance setup.

Hide