IT Self-Assessment

Process       Areas Covered Self- Assessment Tools       Best Practices
Planning & Organization
  • Strategic Business Plan (Compact Plan)
  • Organization-wide IT Strategic Plan
  • IT Value Management
  • Technology Selection
IT Strategic Planning
  • Example: College of Textiles IT Strategic Plan
  • COBIT PO 1.1 IT Value Management
  • COBIT PO 1.2 Business-IT Alignment
  • COBIT PO 1.3 Assessment of Current Capability and Performance
  • COBIT PO 1.4 Strategic Plan
Planning & Organization
  • IT Policies and Procedures
  • IT Organization Roles and Responsibilities
  • IT Steering Committee and Communication
IT Processes, Organization & Relationships
  • Example: College of Textiles IT Steering Committee Charter
  • COBIT PO3.1 Technological Direction Planning
  • COBIT PO 4.3 IT Steering Committee
  • COBIT PO 4.6 Establishment of Roles and Responsibilities
  • COBIT PO 4.9 Data and System Ownership
  • COBIT PO 4.11 Segregation of Duties
  • COBIT PO 4.13 Key IT Personnel; COBIT 7.5 Dependence upon Individual
  • COBIT PO 4.15 Relationships
Planning & Organization
  • IT Budgeting and Prioritization
  • IT system capabilities, performance and risk assessment
  • Training and Development Plans
IT Investment (Budgeting), Risk Assessment, Training and Development
  • COBIT PO 5.3 IT Budgeting; 5.2 Prioritization within IT Budget
  • COBIT PO 6.2 Enterprise IT Risk and Control Framework
  • COBIT PO 6.3 IT Policies Management
  • COBIT PO 6.4 Policy, Standard and Procedures Rollout
  • COBIT PO 6.5 Communication of IT Objectives and Direction
  • COBIT PO 7.4 Personnel Training
  • State Personnel Manual, Training, Section 9, Page 1 – Personnel Training And Development
  • COBIT PO 9.4 Risk Assessment; COBIT 9.4 Risk Response
  • COBIT PO 10.4 Stakeholder Commitment
Technology Acquisition and Implementation
  • Infrastructure Plan
  • Infrastructure Protection & Availability
  • Technology Infrastructure Maintenance
  • Computer Equipment Inventory
Acquire and Maintain Technology Infrastructure
  • COBIT AI3.1 Technology Infrastructure Acquisition Plan
  • COBIT AI 3.2 Infrastructure Resource Protection and Availability
  • COBIT AI 3.3 Infrastructure Maintenance
  • COBIT DS 13.5 Preventative Maintenance for hardware
Technology Acquisition and Implementation
  • Change Management Procedures
  • Change Impact
  • Plan & Document Changes
Manage Change Process
  • COBIT AI6.1 Change Standards and Procedures
  • COBIT AI6.2 Impact Assessment, Prioritization and Authorization
  • COBIT AI6.3 Emergency Changes
  • COBIT AI6.4 Change Status tracking and Reporting
  • COBIT AI6.5 Change Closure and Documentation
  • COBIT DS 13.5 Preventative Maintenance for hardware
Delivery and Support
  • Identification and Tracking of Critical Information Systems
  • Maximum tolerable downtime
  • Disaster avoidance
  • Interdependency Risks
  • Authorized Recovery Plan
  • Recovery Plan Testing
  • Disaster Communication Plan
Business Continuity & Disaster Recovery
  • University Policies, Regulations, and Rules (PRR) REG 04.00.7
  • COBIT DS4.1 IT Continuity Framework
  • COBIT DS4.2 IT Continuity Plans
  • COBIT DS4.3 Critical IT Resources
  • COBIT DS4.4 Maintenance of the IT Continuity Plan
  • COBIT DS4.5 Testing of the IT Continuity Plan
  • COBIT DS5.6 IT Continuity Plan Training
  • COBIT DS5.8 IT Services Recovery and Resumption
  • COBIT DS4.9 Off Site Back Up Storage
  • COBIT DS11.5 Backup and Restoration
Delivery and Support
  • Data Backup Scope, Frequency and Retention
  • Backup Data integrity
  • Ongoing Backup Process
  • Testing Backup Media
  • Restoration Procedures
  • Secure Handling of Data Backup Media
Data Back Up
  • COBIT DS4.9 Offsite Backup Storage
  • COBIT DS11.5 Backup and Restoration
Delivery and Support
  • Data center/server room sites
  • Authorized Physical Access
  • Physical Security Off Hours
  • Visitor Access Control
  • Physical Access Revocation
  • Testing Physical Access Controls
  • Safety of Datacenter Occupants
  • Physical Equipment Protection
  • Adequate Environmental Protections (UPS, humidity, fire suppression, etc.)
  • Datacenter / server room cooling
Physical Security and Environmental Controls
  • COBIT DS12.2 Physical Security Measures
  • COBIT DS12.3 Physical Access
  • COBIT DS12.4 Protect Against Environmental Factors
  • COBIT DS12.5 Physical Facility Management
  • REG 07.40.2 – Reporting Misuse of State Property
Delivery and Support
  • Service Level Identification
  • Adequate and Appropriate Service Level
  • Continuous service level assessment
  • Strategic IT Resource Distribution
  • IT Staff review
  • IT Staff training and Back Up Personnel
  • IT Staff vacations
  • IT ON Call Procedures
Service Level
  • Example: College of Textiles Service Level Agreement
  • PRR REG 05.50.4 – SPA Employee Performance Appraisal Program
  • PRR Employee Time Record
  • COBIT DS1.4 Service Level Agreements; COBIT DS1.5 Monitoring and Reporting of Service Level Achievements
Delivery and Support
  • Help Desk Support
  • Support Call Recording and Tracking
  • Standardized Problem Resolution
  • Recurring Problems
  • Help Desk Performance Monitoring
Problem Management / Help Desk
  • COBIT DS8.1 Service Desk
  • COBIT DS8.4 Incident Closure
  • COBIT DS10.1 Identification and Classification of Problems
  • COBIT DS10.2 Problem tracking and Resolution
  • COBIT DS10.3 Problem Closure
Delivery and Support
  • Logical User Identification & Approval
  • Uniquely identifiable User IDs
  • User Authentication
  • User Access Rights
  • IS Account Management
  • Access Logging and Accounting
Identity & Access Management
  • COBIT DS5.3 Identity Management
  • COBIT DS5.4 User Account Management
  • North Carolina State University Password Standard
Delivery and Support
  • Network Security Architecture
  • Secure Access, Secure Data Storage and Secure Communication
  • Data Retention
  • Security Testing
  • IS Monitoring & Surveillance
  • Incidence Response
Network and Data Security, and Security Testing, Monitoring, and Incidence Response
  • COBIT DS5.5 Security Testing, Surveillance and Monitoring
  • COBIT DS5.6 Security Incident Definition
  • COBIT DS5.9 Malicious Software Prevention, Detection and Correction
  • COBIT DS5.10 Network Security
  • COBIT DS5.11 Exchange of Sensitive Data
  • COBIT DS11.4 Disposal
  • COBIT DS11.6 Security Requirements for Data Management
  • Data Management Procedures – REG 08.00.3
  • State Information Technology Standard – Standards for Clearing or Destroying Media
Delivery and Support
  • Secure Platform
  • Security Configuration Baseline
  • Malware Protection
  • Patch Management
  • Sensitive Web Application Identification
  • Web Security Standards
  • Secure Front-end Access
  • Website Security Testing
  • Secure End-user Computers
  • Antivirus & Anti-malware Protection
  • Desktop Firewalls
  • Secure Network Share
  • Endpoint Encryption
  • Endpoint Patch Management
Operating System (OS), Web and User Endpoint Security
  • COBIT DS5.9 Malicious Software Prevention, Detection and Correction
  • NIST 800-53 AT-2 Security Awareness
Monitor and Evaluate
  • Measurable objectives for key IT processes
  • IT Performance Reports
  • Compliance Evaluation Process
  • IT Strategic Alignment
Monitoring and Evaluating IT Performance
  • COBIT ME1.1 Monitoring Approach
  • COBIT ME1.4 Performance Assessment
  • COBIT ME1.5 Board and Executive Reporting
  • COBIT ME1.6 Remedial Actions
  • COBIT ME3.3 Evaluation of Compliance with External Requirements
  • COBIT ME4.2 Strategic Alignment