2. The basic factors of the security-supported governance methodology
2.2 The PCUBE-SEC operational objective - remodelling the definition of the control
2.2.3 The Operational Objective of PCUBE-SEC
Of course, COBIT 98 - COBIT 4.1 can be used very well even now, in spite of the multiple meaning of control objectives for which the above are examples. However, for my research purposes, I need a direct, explicit relation between enterprise strategy and information security, together with IT audit tools and methods. Using this relation, these tools and methods will provide for such PCUBE-SEC operational objectives, that are on the practical level of the company life, but can be used to achieve higher, strategic-level goals.
This will hopefully yields as a positive side-effect, a closer understanding between top management, and information security officials.
Thus my proposal is to generalize the activities achieving the objectives towards such activities, that improve operations - these will be my operational activities, to be described later. In accordance with this, I extend the scope of the control objective towards the operational arena, and attach strategy to it explicitly:
I define the
as an objective of one or more operational area(s) or role(s) to be achieved, in order to contribute to the fulfillment of strategic goal(s) of the company.
Let's define the
"distance of an operational objective from the strategy", as its degree of importance related to enterprise strategy, in other words, as its importance in achieving it.
This importance is a subjective thing in itself. However, PCUBE-SEC "assigns" concrete value to it. More precisely, it can not assign 1 concrete value to 1 distance, as the distance can not be expressed by one single number, it has meaning only in comparisons.
That is, this distance, just as the other qualifying parameters in PCUBE-SEC, can be measured "only" in a relative way, meaning, that distances of operational objectives has to be related to each other, expressing, this way, that one objective is "closer" to a strategic goal, than the other, or expressing, that it is "further" from this goal, than the other.
Thus this distance connects directly, explicitly the PCUBE-SEC operational objective to the strategy, or, more exactly, to a strategic goal. Of course, instead of a strategic goal any other important, lower level goal can be used, this same way.
Relating objectives either to the same, or to a different strategic goal can also be sensible.
For example, using this relative measurement the evaluation of the risk connected to different assets is just as possible, as it would be with independent measuring numbers.
Now, as this weighting means a relative distance, the values can be, for example, "little, medium and high" - characterizing importance, but 1,2, and 3 can be used just as well.
Using this distance feature is not obligatory, as it is not always known. However, the PCUBE-SEC user is advised to find as many relative comparison possibilities, like this, as it is possible, as these make any evaluation more expressive.
This operational objective definition shows, that fulfilling this objective contributes to the strategy, instead of being sufficient to fulfill a strategic level objective. From this follows, that any kind of advice in the PCUBE-SEC knowledge base, put there, e.g. by other users, contributes to our success, but can not ensure it. That is, we do not have to deal with the mathemathical completeness of the promised PCUBE-SEC derivation process. To accept
the result of this derivation is upon the PCUBE-SEC users' discretion. Should the objective be a necessary condition, then logical completeness would have to be proved.
A very important consequence of the definition of the operational objective is, that the excellence criteria can be special operational objectives. They can also be lower level goals on the "road" leading to strategic goals. Thus they can serve as examples, for using the PCUBE-SEC generalization of information security - IT audit ideas directly in corporate governance.
Now we explicitly substituted the control objectives with the more general operational ones. Using the control objectives in giving advice, how to serve the 34 IT processes, ISACA often goes towards this more general direction, too. Among the countless possible examples, let us quote from the advice on project management, given in the form of a control objective to the IT process "Manage Projects". This can be applied for non-IT projects, just as well.
One of the control objectives here is the "Project Management Framework" (PO10.2). It begins as: "Establish and maintain a project management framework that defines the scope and boundaries of managing projects", and continues with emphasizing the necessity of assigning checkpoints and approvals to the project phases one-by-one, the necessity to integrate the project to the enterpise project management portfolio, etc [COBIT 4.1].
The other remarkable thing to note is, that the ISACA control objective has never actually been the objective of an auditor, or that of anybody, who was specially interested in being compliant to a prescription, coming from an external source, but it could be the objective of any member of the staff.
And how to derive more and more concrete operational objectives from the strategy? This question of the PCUBE-SEC user can be translated as: how to identify the things to be done? This will be the point, where PCUBE-SEC will be able to help, by offering seemingly information security- or IT audit related activities and objectives to achieve business goals. Derivation here means finding such operational level objectives that contribute to the achievement of given strategic goals.
Top management will usually have higher level objectives, than those of the staff. Not only because their way of thinking is closer to the strategy, than that of the others, but as, usually, employee of lower ranks have to find out, how to fulfill these high-level goals, and then to execute the necessary tasks.
An operational objective of a top manager can be, for example, the availability of the strategic informations any time, when they are needed, while managers on a lower level of the hierarchy might suggest, as one of the precondition of this goal, the availability of application system X, every morning from 8 to 10, in order to pre-arrange the necessary data. There are lots of non-IT examples on the operational area, e.g. only products already available in the warehouses can be sold, but selling them, at the same time, commercial, marketing activities are needed.
In the ISACA or ISO materials the improving activities are almost always restricted to the IT staff. Here we deal with the whole palette of operations, where IT is one of the
"colours", even if a very important one, affecting often heavily, by the means of its quality, the performance of the other activities.
The COBIT control objectives - from 1998 to 2007, at least - support business by the means of effective implementation, operation and supervision of IT processes, while the more general, operational objectives of PCUBE-SEC are directly related to the strategic goals.
The ultimate goal is to give effective means to implement, operate, supervise, and later even to build such operational processes, that serve the market success of the institution the best way.
The reverse way of thinking is not forbidden, either. IT security and audit professionals familiar with their methodologies might find in the receipts, collected by PCUBE-SEC users such ideas that have already been useful for other companies. If they want to "sell" it to their management, then they will be eager to find enterprise-level goals that can be supported by the idea that they would like to implement. This will facilitate the cooperation between security, audit and business, yielding useful inspirations for business use.