MOF COBIT-ValIT Cross-Impl Guide Final

MOF to COBIT/Val IT Comparison
and Cross-Implementation Guide
How to Leverage MOF in a COBIT/Val IT Environment
Version 1.01
Published: June 2009

Authors: Patrick Voon, CGEIT, CISA, CISSP
Senior GRC SME
Edgile Inc.
Javier Salido, M.Sc., MBA.
Senior Program Manager, Data Governance
Trustworthy Computing Group, Microsoft Corporation
For the latest information, please see www.microsoft.com/datagovernance

MOF to COBIT/Val IT Comparison and Cross-Implementation Guide ii
Copyright © 2008 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedback on this documentation, you agree to the license agreement
below.
If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, Excel, SharePoint, SQL Server, Visual Studio, Windows, and Windows Server are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and
services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.
You will not give Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Copyright. This publication includes COBIT 4.1, which is used by permission of ITGI. ©1996-2007 IT
Governance Institute (ITGI). All rights reserved. COBIT is a registered trademark of Information
Systems Audit and Control Association (ISACA) and ITGI.
Trademark. COBIT is a registered trademark of the Information Systems Audit and Control
Association (ISACA) and the IT Governance Institute (ITGI). All rights reserved
Neither ISACA nor ITGI endorse, sponsor, or are otherwise affiliated with this publication. Microsoft
assumes sole responsibility for the use, reference, or inclusion of COBIT 4.1 and the accuracy of the
use, reference, or inclusion of the COBIT 4.1 materials. Neither ISACA nor ITGI makes any
representations or guarantees regarding the accuracy of the use, reference, or inclusion of COBIT
4.1 in this publication. Neither ISACA nor ITGI is affiliated in any manner with this publication or
Microsoft.
MOF to COBIT/Val IT Comparison and Cross-Implementation Guide iii
Acknowledgements
This guide was developed with reviews performed by Governance, Risk, and Compliance
(GRC) subject matter experts, auditors, consultants, and those members of the technical
community who work with complex GRC requirements in their own organizations. We
wish to recognize and thank the following reviewers for their time and contribution.
John Howie
Sr. Director Risk Program Management
Global Foundation Services Group, Microsoft Corporation
Djalma Andrade
Security Manager
Microsoft Brazil
Jose Campos
Director Worldwide Security Communities
Trustworthy Computing Group, Microsoft Corporation
Michael Kranawetter, CISA, CISM, CIPP

Chief Security Advisor
Microsoft Germany
Douglas Lee
Architect
Microsoft Corporation
Jeffrey Miller, CGEIT, CISSP

Senior Technical Program Manager
Roin Nance, CPA, CISA

COO and GRC Service Leader
Edgile, Inc.
Betsy Norton-Middaugh
Senior Program Manager
Andy Shell
Practice Manager
Edgile, Inc.
Jerry J. Trammel, MBA/MHA, CISSP, CHC

Director of Privacy and Security Compliance
Kaiser Permanente
MOF to COBIT/Val IT Comparison and Cross-Implementation Guide iv
Acknowledgements ........................................................................................ iii

I. Introduction .............................................................................................. 5
Abstract ...................................................................................................... 5
Value Proposition ......................................................................................... 5
Overview and Focus ...................................................................................... 5
II. Description of Frameworks ....................................................................... 7
Val IT ......................................................................................................... 7
COBIT .......................................................................................................... 8
MOF...........................................................................................................11
III.How the Frameworks Relate ................................................................... 13
MOF to Val IT ..............................................................................................14
MOF to COBIT ..............................................................................................15
IV. How to Leverage MOF.............................................................................. 17
The Scenario ..............................................................................................17
Leveraging MOF ..........................................................................................17
Tailoring.....................................................................................................20
Prioritizing ..................................................................................................21
Planning .....................................................................................................22
Key to Success............................................................................................22
V. Conclusion ............................................................................................... 24
Appendix A – Detailed Mapping of MOF Interfaces to Val IT ......................... 25
Appendix B – Detailed Mapping of MOF Components to COBIT ....................... 35
Appendix C – Glossary .................................................................................. 48
Appendix D – References .............................................................................. 51
I. Introduction
Abstract
The purpose of this MOF to COBIT/Val IT Comparison and Cross-Implementation Guide
is to assist IT operations managers and IT operations professionals understand how
MOF 4.0 aligns with, and supports, the COBIT 4.1 (Control Objectives for Information and
related Technology) and Val IT 2.0 governance frameworks. Specifically, this guide
provides tips and techniques on how to leverage MOF 4.0 to achieve the Governance,
Risk, and Compliance (GRC) objectives defined within the COBIT 4.1 and Val IT 2.0
frameworks.
Value Proposition
IT operations managers and professionals are responsible for managing and delivering
quality and reliable IT services on a daily basis. In addition to performing day-to-day
operational responsibilities, there have been increasing demands on IT to achieve
compliance with corporate policies and standards, statutory requirements such as those
in SOX, GLBA, and European Union Data Protection Directive, regulations like PCI DSS,
and security standards such as ISO 27001.
IT operations is constantly faced with the challenge of managing IT services in a manner

that demonstrates compliance with this plethora of requirements. Since these
requirements are characterized as Governance, Risk and Compliance (GRC) in nature,
many organizations have adopted the COBIT and Val IT governance frameworks to
manage their GRC needs. Nevertheless, these frameworks are designed to provide
general enterprise and IT governance guidance and therefore do not provide the specific
operational and technical guidance that is required by IT operations. It is in this area
where MOF can play a vital role in enabling IT operations to integrate GRC capabilities
into their day-to-day operations of delivering quality and reliable IT services. Put another
way, MOF provides IT operations with the nuts and bolts for building GRC capabilities
into the entire service management life cycle. IT professionals focused on GRC will find
that Microsoft makes available through their web site, relevant and practical MOF-based
aids, tools, and best practices that they can use to implement these capabilities and that
will simplify the task of achieving operational excellence and compliance. The objective
of this document is to provide IT professionals familiar with COBIT and Val IT with a
mapping of these frameworks to MOF so that they can then leverage these aids, tools,
and best practices.
Overview and Focus

Other than the COBIT and Val IT governance frameworks, MOF is also very closely
related to the ITIL service management framework. Conceptually, MOF can be viewed
as an underlying operational framework to Val IT, COBIT, and to some extent, ITIL (even
though ITIL is an operational framework). What this means is that MOF supports COBIT
and Val IT directly by implementing the strategic concepts and tactical principles in an
operational service environment. This concept is depicted in Figure 1, below.
MOF to COBIT/Val IT Comparison and Cross-Implementation Guide 6
Figure 1 - MOF, Val IT, COBIT, and ITIL
This guide focuses on the mapping of MOF to Val IT and COBIT. The mapping of MOF to
ITIL will be addressed in a separate guide, as both these frameworks reside at the
operational layer. In the following section, general descriptions of the Val IT, COBIT, and
MOF frameworks are provided. Subsequently, in Section III, we examine how MOF
relates to Val IT and COBIT. Then in Section IV, we provide some tips and techniques on
how to leverage MOF to address your GRC needs within the context of Val IT and COBIT.
A scenario is used to illustrate how to leverage MOF and a list of references with links to
recommended resources is provided in Appendix D.
Detailed mappings of MOF to Val IT and MOF to COBIT are also included in the
appendices.
II. Description of Frameworks
This section provides a description of each of the three frameworks being examined (Val
IT 2.0, COBIT 4.1, and MOF 4.0). This will provide you with a general understanding of
each framework‘s purpose and how the frameworks are structured. A basic
understanding of each framework is necessary in order to further examine how they
relate to each other.
Val IT
Val IT is developed and maintained by the IT Governance Institute (ITGI), which is an
independent non-profit research institute affiliated with the Information Systems Audit and
Control Association (ISACA). Val IT was developed subsequent to COBIT when the ITGI
recognized the need for a framework that sets good practices for the process of value
creation. This can be accomplished by providing enterprises with the structure they
require to measure, monitor and optimize the realization of business value from their
investment in IT. Consequently, the Val IT framework was developed by drawing on the
collective experience of a global team of practitioners and academics, existing and
emerging practices and methodologies, and a rapidly growing body of research.
Val IT is a comprehensive and pragmatic organizing framework that enables the creation
of business value from IT-enabled investments. Designed to align with and complement
COBIT, Val IT integrates a set of practical and proven governance principles,
processes, practices and supporting guidelines that help boards, executive
management teams and other enterprise leaders optimize the realization of value from IT
investments. In other words, Val IT helps enterprises understand if they are making the
right investments and to decide whether they are optimizing the returns obtained from
them. COBIT helps enterprises understand if projects resulting from the aforementioned
investments are being executed correctly, from an IT perspective. Taken together, Val IT
and COBIT provide business and IT decision makers with a comprehensive framework for
the creation of value from the delivery of high-quality IT-based services.
The Val IT Principles consist of the following:
 IT-enabled investments will be managed as a portfolio of investments.
 IT-enabled investments will include the full scope of activities that are required to
achieve business value.
 IT-enabled investments will be managed through their full economic life cycle.
 Value delivery practices will recognize that there are different categories of
investments that will be evaluated and managed differently.
 Value delivery practices will define and monitor key metrics and respond quickly
to any changes or deviations.
 Value delivery practices will engage all stakeholders and assign appropriate
accountability for the delivery of capabilities and the realization of business
benefits.
 Value delivery practices will be continually monitored, evaluated and improved.
The Val IT principles are applied in the following three domains to optimize value:
 Value governance – ensures that value management practices are embedded
in the enterprise, enabling it to secure optimal value from its IT-enabled
investments throughout their full economic life cycle
 Portfolio management – ensures that an enterprise secures optimal value
across its portfolio of IT-enabled investments.
 Investment management – ensures that the enterprise‘s individual IT-enabled

investments contribute to optimal value.
Within each domain, Val IT Processes are defined as displayed in Figure 2 below.
Figure 2 - Val IT Domains and Processes
Val IT further defines each process by identifying a set of Key Management Practices
required to support each process. The complete list of key management practices are
described in the full Val IT 2.0 publication, which may be downloaded at
www.itgi.org/valitdownloads.
In addition, Val IT provides management guidelines to help enterprises in setting up and
managing value management processes in their environment. For each Val IT process,
the Val IT management guidelines include:
 Process inputs and outputs.
 Activity descriptions, with RACI (Responsible, Accountable, Consulted and
Informed) charts that help clarify roles and responsibilities.
 Goals and metrics at strategic, tactical, and operational levels.
COBIT
COBIT was first published by the ITGI in April 1996. Since then, there have been three
updates, with Edition 4.1 being the latest version, released in 2007. COBIT draws from
the expertise of its association‘s members, industry experts, and control and security
professionals. Its content is based on ongoing research into IT good practices and is
continuously maintained, providing an objective and practical resource for executive
management, business management, IT management, and auditors. For detailed
information on COBIT, we recommend that you download a complimentary copy of the
complete COBIT 4.1 publication at www.isaca.org/cobit.
While Val IT sets good practices for the “destination” of contributing to the process of
value creation, COBIT sets good practices for the ”journey”. Essentially, the purpose of
COBIT is to support IT governance by providing a common control framework that
ensures the following:
Description of Frameworks 9
 IT is aligned with the business

 IT enables the business and maximizes benefits
 IT resources are used responsibly
 IT risks are managed appropriately
In order to fulfill its purpose, COBIT was structured with the main characteristics of being
business-focused, process-oriented, controls-based and measurement-driven. As a
result, the framework provides a reference process model and common language for
everyone in an enterprise to view and manage IT activities. The framework‘s process
model consists of the following four life cycle domains:
 Plan and Organize (PO)—Provides direction to the Acquire and Implement (AI)
and Deliver and Support (DS) domains
 Acquire and Implement (AI)—Provides the solutions and passes them to be
turned into services
 Deliver and Support (DS)—Receives the solutions and makes them usable for
end users
 Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction
provided is followed
Across these four domains, COBIT identifies 34 IT processes that are generally used by
IT organizations. For each of these 34 processes, a link is made to the business and IT
goals that are supported. Information on how the goals can be measured, what the key
activities and major deliverables are, and who is responsible for them is also provided.
COBIT defines control objectives for all 34 processes, as well as overarching process and
application controls. Control objectives provide a complete set of requirements to be
considered by management for effective control of each IT process. They are
characterized as follows:
 Statements of managerial actions to increase business value or reduce risk
 Consist of policies, procedures, practices and organizational structures
 Designed to provide reasonable assurance that business objectives will be
achieved and undesired events will be prevented or detected and corrected
Details on the control objectives are described in the complete COBIT 4.1 publication.
In order for an enterprise to understand the status of its own IT systems and to decide
what level of management and control the enterprise should provide, COBIT utilizes the
following measurement techniques:
 Maturity models to enable benchmarking and identification of necessary
capability improvements
 Performance goals and metrics for the IT processes, that measure how these
processes meet business and IT goals based on balanced scorecard principles
 Within each process, a set of activity goals that enable and measure process
performance
Additional details about these measurement techniques are included in the complete
COBIT 4.1 publication. Figure 3 below summarizes the components of the COBIT
framework.
Figure 3 - COBIT Framework

Description of Frameworks 11
MOF
Microsoft® Operations Framework (MOF) consists of integrated best practices,
principles, and activities that provide comprehensive guidelines for achieving reliability for
IT solutions and services. MOF provides question-based guidance that allows you to
determine what is needed for your organization now, as well as activities that will keep
the IT organization running efficiently and effectively in the future.
The guidance in the Microsoft Operations Framework encompasses all of the activities
and processes involved in managing an IT service: its conception, development,
operation, maintenance, and—ultimately—its retirement. MOF organizes these activities
and processes into Service Management Functions (SMFs), which are grouped together
in phases that mirror the IT service lifecycle. Each SMF is anchored within a lifecycle
phase (Plan, Deliver, and Operate, plus Manage layer) and contains a unique set of
goals and outcomes supporting the objectives of that phase. An IT service‘s readiness to
move from one phase to the next is confirmed by management reviews, which ensure
that goals are achieved in an appropriate fashion and that IT‘s goals are aligned with the
goals of the organization. Figure 4 below presents a graphical view of MOF‘s IT service
life-cycle phases and the associated SMFs (bulleted) and Management Reviews
(rhomboids).
Figure 4 - MOF Service Lifecycle and SMFs
The goal of MOF is to provide guidance to IT organizations to help them create, operate,
and support IT services while ensuring that the investment in IT delivers expected
business value at an acceptable level of risk.
MOF‘s purpose is to create an environment where business and IT can work together
toward operational maturity, using a proactive model that defines processes and standard
procedures to gain efficiency and effectiveness. MOF promotes a logical approach to
decision-making and communication and to the planning, deployment, and support of IT
services. MOF is available for public download at http://microsoft.com/mof.
III. How the Frameworks Relate
In the previous section, we saw that COBIT sets good practices for the “journey” of
contributing to the process of value creation, while Val IT sets good practices for the
“destination” of optimizing business value from IT investments. At the same time, MOF
is the operational framework that deals with the nuts and bolts of planning, delivering,
operating, and managing IT services. Essentially, Val IT is concerned with the end-state
of enterprise governance; COBIT is focused on the IT controls required to achieve that
end-state; and MOF details the operational implementation (service management) of
the IT controls required to achieve the desired enterprise governance end-state. This
relationship is best illustrated by the diagram in Figure 5 below.
Figure 5 - MOF, COBIT, Val IT Relationship
Val IT
Enterprise MOF SMF
COBIT Processes & Governance interfaces to
Controls to (Strategic) Val IT Processes
VAL IT Processes & Are we doing the right & Practices
things?
Practices
Are we getting the
benefits?
COBIT MOF
IT Controls Service
(Tactical) Management
Are we doing them (Operational)
the right way? Are we enabling the
Are we getting them necessary end-state
done well? capabilities?
MOF SMFs to COBIT

Processes &
Controls
In the illustration above, we see that given each framework‘s purpose, Val IT addresses
the strategic (Are we doing the right things?) and valuation (Are we getting the benefits?)
questions, while COBIT addresses at the tactical level, the architectural (Are we doing
them the right way?) and delivery (Are we getting them done well?) questions.
14 MOF to COBIT/Val IT Comparison and Cross-Implementation Guide
Meanwhile, MOF addresses the operational implementation question: Are we enabling

1
the necessary end-state capabilities? To answer MOF‘s designated question, we will
now see how MOF SMFs interface with the Val IT processes and practices; and then how
the SMFs map to COBIT‘s processes and controls.
MOF to Val IT
While, as we will see in the following section, MOF SMFs can be mapped directly to
corresponding COBIT processes and control objectives that is not the case with Val IT.
There is no functional overlap between Val IT and MOF. Rather, the MOF SMFs
interface with Val IT by feeding results as input to the Val IT processes. Only a subset of
SMF processes in MOF interface with the Val IT processes. Figure 6 below depicts the
high-level interfaces.
Figure 6 - MOF High-level Interfaces to Val IT
Val IT
 VG1 Establish informed  PM1 Establish strategic direction  IM1 Develop and evaluate the initial
& committed leadership and target investment mix program concept business case
 VG2 Define and implement  PM2 Determine the availability  IM2 Understand the candidate
processes & sources of funds program and implementation options
 VG3 Define portfolio characteristics  PM3 Manage the availability •
•
Processes  VG4 Align & integrate value mgmt of human resources •
with enterprise financial planning  PM4 Evaluate & select programs  IM7 Update operational IT portfolios
 VG5 Establish effective governance to fund
•
monitoring  PM5 Monitor & report on investment •
portfolio performance •
 VG6 Continuously improve value
mgmt practices  PM6 Optimize investment portfolio  IM10 Retire the program
performance
Value Portfolio Investment

Domain
Governance Management Management
MOF
Phase Plan Deliver Operate Manage
 Business/IT Alignment  Envision  Operations  Governance, Risk,
 Reliability  Project Planning  Service Monitoring & Compliance
 Policy  Build & Control  Change &
SMF  Customer Service Configuration
 Financial Mgmt.  Stabilize
 Problem Mgmt.  Team
 Deploy
Mgmt.  Portfolio  Project Plan Approved  Operational Health  Policy & Control
 Service Alignment  Release Readiness
Review
1
Based on the ‗Four Ares‘ as described by John Thorp in his book ―The Information Paradox‖, written jointly
with Fujitsu, first published in 1998 and revised in 2003
How the Frameworks Relate 15
Note that only the SMFs that are in black font interface with Val IT; the SMFs in gray do
not. A detailed interface mapping of MOF to Val IT is presented in Appendix A.
MOF to COBIT
From a process lifecycle perspective, MOF‘s three lifecycle phases (Plan, Deliver, and
Operate) map to the four COBIT domains (Plan & Organize, Acquire & Implement, Deliver
& Support, and Monitor & Evaluate). Concurrently, MOF‘s Manage layer and
Management Reviews map across all four of the COBIT domains as well. It is important
however, to emphasize the fact that MOF and COBIT do not completely overlap, as each
framework addresses aspects of IT management that are not covered by the other. A
high-level mapping is represented visually in Figure 7 below.
Figure 7 - High-level MOF Mapping to COBIT
COBIT
 PO1 Define a strategic IT  AI1 Identify  DS1 Define and manage  ME1 Monitor and evaluate
plan automated solutions service levels IT performance
 PO2 Define the  AI2 Acquire &  DS2 Manage third-party  ME2 Monitor and evaluate
Processes information architecture maintain application services internal control
& Control  PO3 Determine
software
 DS3 Manage performance  ME3 Ensure compliance
technological direction • and capacity with external
Objectives •
• • requirements
• •
•
•  AI7 Install & accredit •  ME4 Provide IT
solutions and changes  DS13 Manage operations governance
 PO10 Manage projects
Domain Plan & Acquire & Deliver & Monitor &

Organize Implement Support Evaluate
MOF
Phase Plan Deliver Operate Manage
 Business/IT Alignment  Envision  Operations  Governance, Risk,
 Reliability  Project Planning  Service Monitoring & Compliance
SMF  Policy  Build & Control  Change &
 Customer Service Configuration
 Financial Mgmt.  Stabilize
 Problem Mgmt.  Team
 Deploy
Mgmt.  Portfolio  Project Plan Approved  Operational Health  Policy & Control
 Service Alignment  Release Readiness
Review
We see that MOF‘s Operate phase also maps over a portion of COBIT‘s Monitor &
Evaluate domain. Within each of the three lifecycle phases of MOF and its Manage
layer, the SMFs map to the corresponding COBIT processes and control objectives within
each COBIT domain. A detailed mapping of MOF to COBIT is presented in Appendix B.

IV. How to Leverage MOF
Now that we understand how MOF relates to COBIT and Val IT, we will discuss how
organizations can leverage MOF-based guidance and tools in a COBIT and Val IT
environment. At the beginning of this guide we indicated that IT operations will find
relevant and practical MOF aids, tools, and best practices that they can use to implement
GRC capabilities. We will illustrate this further by looking at a scenario and using the
cross-reference mapping tables in Appendices A and B, along with some tips and
techniques from Microsoft.
The Scenario
We can leverage MOF itself, and the aforementioned tools and guidance, to achieve
operational excellence and compliance in a particular IT service such as User Account
Management.
Let‘s assume that executive management has received multiple complaints from
business units, because it takes weeks before new employees are provisioned with
personal credentials required to access the IT resources necessary to perform their job
duties. Furthermore, to circumvent this problem, new employees are encouraged to
share credentials belonging to existing employees. Internal Audit identified this as an
issue as it violates company policy and external regulations concerning individual
accountability. In addition, the external auditors issued a significant finding related to the
retention of previously assigned access privileges of employees transferred to new
positions. Another finding revealed that system accounts belonging to employees who
had been terminated for over 3 months still remained active.
The IT organization is responsible for addressing these issues. Unfortunately, IT has not
clearly defined User Account Management as a service it provides, and currently lacks
the ability to measure performance in this service area. Much of the operations around
User Account Management rely on undocumented and social knowledge within the IT
organization. Where and how can they even begin to address these issues?
Leveraging MOF
Working our way up the operational, tactical, and strategic levels (MOF to COBIT to Val
IT), we will first take a look at how we can leverage MOF itself. Referring to MOF 4.0, IT
can start at the Planning phase by examining the Business/IT Alignment SMF process
of Identify and Map Services. Within this SMF process, we see that IT can set a goal of
creating a service map for the User Account Management service. This service map can
be used throughout the IT organization to clarify the dependencies between SLAs
(Service Level Agreements), OLAs (Operating Level Agreements), technologies,
customers, and the impact to the service delivery. It identifies the resources necessary to
deliver the service described in the service catalog, who delivers that service, and who
consumes it.
The service map represents each service from the perspective of the business and the
user. It is divided into five sections:
 Customers. A categorized list of individuals and groups who use the service.
 Hardware. The hardware platforms necessary for service delivery.
 Applications. The operating system(s) and other applications the service

requires.
 Settings. The configuration settings necessary for the service to function.
 Internal/external services. The components that help ensure availability for the
service.
In developing this service map, the following activities are recommended:
 Identify services and owners.
 Identify key customers and users.
 Review, classify, and categorize key service component groups and service
owners.
 Publish a service map.
Within each of these activities, IT will find guidance such as key questions to ask, inputs
to and outputs of each activity, and best practices. For instance, IT should consider the
following for identifying the service and owners:
Key questions:
 What does the business call the service?
 Who from IT is accountable for the business service? Who is the business
representative for the service?
 Does the IT service representative know the IT owners of services dependent on this
one?
Inputs:
 Existing responsibility matrices—for example,
Responsible/Accountable/Consulted/Informed (RACI) charts
 List of business applications and services
 List of infrastructure services
 Configuration management system (CMS)
 Service portfolio; service catalog
Outputs:
 List of services and service owners, including business and IT representation
 List of all IT-dependent service owners
 RACI matrices
Best practice:
Use RACI, CMS, and Business Continuance/Disaster Recovery (BC/DR) plans to identify
services and owners you might otherwise miss.
Since these activities depend on the availability of certain materials that serve as inputs
to the process, it may be apparent that these materials do not yet exist and will need to
be developed. This is an opportunity to transform any social knowledge into documents
and practices that are maintainable.
IT will find relevant job aids such as templates to assist them in developing fundamental
artifacts. For instance, there are job aids available for the Plan phase SMFs such as
OLA, SLA, and Service Catalog templates.
In addition to creating these fundamental artifacts, a graphic representation of the User
Account Management service should be created in the form of a service map. The
diagram in Figure 8 below depicts a sample service map for the User Account
Management service.
How to Leverage MOF 19
Figure 8 - Sample User Account Management Service Map
User Account Owners

Management  IT Service Owner
Service  Business Owner
Required
Customers Hardware Applications
Services
Internal Users
Servers Identity Settings
 Business Units Active
 Dell Servers Lifecycle
 IT Directory
 AS/400 Manager
 Volunteers GPO
External Users Windows

Workstations Server 2008
 Contractors
 Dell Desktops Remedy
 Vendors
 Dell Laptops
 Partners Workflow
SQL Server
2005
PeopleSoft
Workflow Core Network

Infrastructure
Services
SMTP
MOF to COBIT
We will now examine how leveraging MOF guidance supports COBIT in our scenario.
Referring to the mapping of MOF to COBIT in Appendix B, we see that the results from
the Identify and Map Services process under the Business/IT Alignment SMF in the
Plan phase, which maps to COBIT‘s PO1 Define a Strategic IT Plan process will satisfy
the control objectives associated with PO1.2 Business-IT Alignment and PO1.5 IT
Tactical Plans. Obviously, addressing the issues related to the User Account
Management service will involve various other SMFs across the remaining MOF phases
and the Manage Layer. In order to keep this discussion to a reasonable length, we will
not examine all potentially applicable SMFs but would like to draw attention to two of
COBIT‘s control objectives that are directly related to the User Account Management
service. They are DS5.3 Identity Management and DS 5.4 User Account
Management. Again, referring to the MOF to COBIT mapping in Appendix B, we see that
both of these control objectives map to MOF‘s Operate phase, Operations SMF, Plan
Operational Work and Execute Operational Work processes respectively. As such, IT
should pay special attention to the activities guidance for these two MOF SMF processes
in order to create results (e.g. operational workflow procedures for user account
management) that directly satisfy the control objectives. Additionally, there is a job aid
for the Operations SMF in the form of an Operations and Services Description
template. In our scenario, this template can be used to document all informal knowledge
for standard and common use. Contents of this document will also identify the customers
of the service, the support team, service/support availability, service level objectives (e.g.
provisioning and de-provisioning of accounts), metrics, monitoring, and reporting. Many
of these elements contribute to the related control objectives in COBIT.
MOF to Val IT
Similarly for Val IT, we refer to Appendix A and note that the Identify and Map Services
process under the Business/IT Alignment SMF in the Plan phase, which maps to Val
IT‘s VG3 Define Portfolio Characteristics process, will interface with the key
management practices associated with VG3.1 Define Portfolio Types and VG3.2
Define Categories (within portfolios). For instance, the results from MOF‘s Identify
and Map Services may have identified the User Account Management service as part of
a Shared Services Portfolio. Furthermore, this service may be categorized as
mandatory.
Regardless of whether IT is attempting to satisfy COBIT or Val IT requirements, it is
obvious that by leveraging MOF resources, we can address these requirements through
processes, policies, standards, procedures, guidelines, and supporting artifacts that can
be defined, documented, and maintained. Although MOF is designed to be usable in a
selective manner, by SMFs, we have seen from our scenario that there are threads of
input/output dependencies across the SMFs. To complicate matters further, IT is often
faced with multiple, competing, and changing requirements. In response to such
challenges, we will present some tips and techniques that will assist in a smoother
implementation of GRC capabilities when leveraging MOF-related resources in support of
a COBIT or Val IT environment.
Tailoring
Pure implementation of any framework ―as-is‖ – without tailoring it to an organization‘s
culture and needs – will most certainly result in a failure to fully realize the intended
benefits. Whether it‘s MOF, COBIT, or Val IT, organizations need to carefully evaluate
each framework and adapt it to fit into the organization‘s unique environment.
If your organization has adopted the COBIT and Val IT frameworks, it is likely that
elements of these frameworks have been customized to ensure implementation is
consistent with the continually evolving business objectives of the organization.
Consequently, when leveraging MOF and Microsoft related guidance to align with these
frameworks, it is essential that you consult with your GRC subject matter experts (SME)
to understand what modifications have been made and how the frameworks are being
applied. For example, an organization may choose to rearrange some COBIT control
objectives from one process to another in order to match the actual process that is in
operation at the organization. In this case, the mapping for those control objectives
provided in Appendix A will have to be modified to match the change. Consequently, the
newly associated SMF process will need to be tailored to address those control
objectives.
In addition to adjusting MOF guidance to align with the current implementation of COBIT
or Val IT at your organization, it is also imperative that you evaluate the SMFs and tailor
them according to your current operations. Or you may choose to reengineer your
current processes to match the SMF processes. For example, you may discover
opportunities to improve existing processes by combining redundant ones into a single
process. Conversely, you may need to disassemble a complex process into smaller,
manageable components that suit your operations.
Prioritizing
In addition to evaluating and tailoring relevant guidance to support COBIT and Val IT
requirements, there is constant pressure for IT to deal with competing projects in a
rapidly changing business and technological environment. Herein sits an opportunity to
put MOF guidance into practice. Consider starting with the Plan phase‘s Business/IT
Alignment SMF, Identify Demand and Manage Business Requests process. Then
also consider the Manage Layer‘s GRC SMF, Establish IT Governance and Assess,
Monitor, and Control Risk processes. Following the activities in these SMF processes
will ensure that any work being done is aligned with the business priorities, approved by
management, supported with the required resources, and managed based on risk.
One way to look at risk-based prioritization is to compare the level of risk exposure to the
effort and complexity required to mitigate or eliminate the risk. This comparison is best
illustrated using a map, as shown below in Figure 9.
Figure 9 - Risk-based Prioritization Map
Strategic
Quick Hits Investment
Risk Exposure
L = Low Low Priority Don’t Do

L
M = Medium
H = High
L M H
Effort & Complexity to Resolve
The vertical axis of the diagram represents the level of risk exposure, while the horizontal
axis represents the level of effort and complexity required to mitigate or eliminate the risk
exposure. The heat map is categorized into four general areas as follows:
 D ’ D – addresses low risk exposures that require a high level of effort and
complexity to mitigate. The cost of the work required to resolve the risk is much
higher than the cost of the risk exposure itself. It does not make business sense
to conduct this work.
 Low Priority – addresses low risk exposures that require minimal effort and
complexity. Work that falls into this area may be scheduled and completed as
time permits.
 Quick Hits – addresses high risk exposures that require minimal effort and
complexity. Obviously, work that falls into this area should receive high priority
as it produces immediate benefits that are highly valuable, i.e., immediate Return
on Investment (ROI).
 Strategic Investment – addresses high risk exposures that require a high level
of effort and complexity. Work that falls into this area are typically long-term in
nature and occur over multiple phases. This work may be prioritized from
medium to high with a formal schedule that is monitored and adjusted to ensure
that progress is made to achieve the strategy.
By organizing work into these categories as goals, you can develop a roadmap to show
the priority and sequence of each goal.
Planning
With a roadmap in hand, the next step is to create an action plan for each goal. Most
quick hit goals will probably involve a simple project plan. On the other hand, the
strategic investment goals will likely require a more complex master project plan with
additional feeder plans under it.
When leveraging MOF guidance, take the time to evaluate the inputs and outputs of each
process activity in order to accurately identify the interdependencies of tasks that will be
documented in a project plan. For each project, consider using the guidance provided in
the Envision and Project Planning SMFs under MOF‘s Deliver phase. A couple of
relevant job aid templates available with the Deliver phase are the Vision Scope and
Functional Specification templates. These job aids provide a great way to document
project goals, objectives, assumptions, constraints, dependencies, acceptance criteria
(critical success factors), functional and non-functional requirements.
Lastly, a central function such as a Project Management Office (PMO) should assume
oversight responsibility for the coordination of multiple projects. This enables the
organization to gain a holistic view of all projects in progress, while ensuring that cross-
project issues and resource contentions are avoided or resolved quickly. Further, a PMO
can track and report on the status of all projects to senior management.
Key to Success
The key to successfully leveraging MOF is to avoid common mistakes. For example,
organizations that are comfortable with technological risks tend to take on too much, too
soon. They may aggressively categorize most goals as quick hits without regard to
comparing the benefits versus risks, and proper project planning. This often results in a
failure to achieve the goals. Following the tips described in the previous Prioritizing and
Planning sections can help prevent such undesirable results and ensure success.
Another common mistake is to examine MOF guidance in a piece-meal fashion without
considering the interdependencies across processes and how they relate to supporting
COBIT or Val IT. Although MOF can be leveraged in a modular fashion, doing so without
regard to how it affects other processes and how other processes may affect it, can
cause a significant amount of rework down the road. This can be avoided by following
the tips described in the previous Tailoring section.
Other keys to success include the following:
 Thoughtful integration with company culture – perhaps one of the most
crippling pitfalls an organization can face is the danger of poorly integrating
change into the company culture. To ensure company-wide acceptance of
change, management should develop an effective communication plan that
clearly describes the reason and benefits of the change, how it will affect each
individual, and how they can contribute to the success of the change. This
should be presented in a manner that fits the company culture, recognizing the
need to deliver timely communication and meaningful content throughout the
change process.
 Clear roles and responsibilities – make sure that roles and responsibilities are
not ambiguous but are clearly defined, communicated, and acknowledged.
 Meaningful metrics – when defining metrics, make sure that they are
collectable, relevant, and meaningful to measuring performance according to
defined goals and objectives.
 Sustainable processes – highly complex processes require significant effort
and resources to sustain. Try breaking-down and simplifying processes to make
them more manageable and sustainable.
 Consistent enforcement – although sound policies, standards, procedures, and
processes are in place, there is no follow-through in enforcing adherence,
thereby leading to a false assurance that controls are operating as intended. To
avoid this, remember to consider MOF‘s Management Reviews and the Manage
Layer SMFs.
For additional tips and guidance on leveraging GRC capabilities in a Microsoft technology
environment, we encourage you to visit Microsoft‘s IT Governance and Compliance
Solution Accelerators webpage at: http://www.microsoft.com/compliance.
In particular, for GRC guidance, look for the IT Compliance Management Guide which
helps you address GRC requirements and organization-wide governance initiatives by
using an approach based on MOF. A download of this guide includes an Excel
workbook named IT Compliance Management Resources.xlsx. This workbook contains
a worksheet listing high-level objectives that are applicable to an IT department assigned
with GRC duties. Another worksheet contains GRC objectives and associated Microsoft
product configuration guidance to meet these objectives. Finally, there is a GRC
Management Inventory worksheet which contains GRC management guidance and
additional product guidance for the management of a GRC solution.
Another useful Microsoft Solution Accelerator is the Security Risk Management Guide,
which helps customers of all types plan, build, and maintain a successful security risk
management program. This guide is available at the same URL above.
V. Conclusion
In demonstrating the value proposition that MOF presents in supporting a COBIT and Val
IT environment, this guide has attempted to provide a basic understanding of each
framework, how MOF relates to COBIT and Val IT, a cross-reference mapping of these
relationships (in Appendices A and B), and tips on how to leverage MOF and supporting
Microsoft guidance.
We saw that each framework was designed from a different perspective for different
purposes. Val IT focuses on enterprise governance (strategic), COBIT on IT controls
(tactical), and MOF on service management (operational). While MOF SMF processes
can be mapped directly to COBIT‘s control objectives, this is not the case for Val IT. In
the case of Val IT, there is no direct mapping but only a subset of MOF SMF processes
interface with Val IT processes and key management practices.
Next, using a case scenario, we examined MOF guidance a little closer and discovered
that it includes detailed activities for each SMF process including key questions to ask,
activity inputs/outputs, and best practices. Furthermore, there are job aids and tools
available for each MOF phase such as document and worksheet templates that can
easily be customized and put into practical use.
We also presented some tips and techniques on tailoring, prioritizing, planning, and key
to success when leveraging MOF resources. These tips and techniques will assist you in
successfully leveraging MOF guidance in your environment. Microsoft, through its IT
Governance and Compliance Solution Accelerators, also provides specific GRC guidance
that is based on MOF.
Based on this collective information, we submit that organizations can gain practical
benefits by leveraging MOF and supporting Microsoft guidance in their IT environment.
In particular, the key benefit for organizations is the ability to enable GRC capabilities
throughout its IT operations in support of COBIT and Val IT requirements.
Appendix A – Detailed Mapping of
MOF Interfaces to Val IT
The tables in this appendix are organized by MOF phases with all of the respective SMF
interfaces mapped to the relevant Val IT components where applicable. Note that MOF
does not overlap with Val IT and not all SMF processes have interfaces to the Val IT
processes. SMF processes without any interfaces are indicated in gray-colored cells as
Not Applicable within the tables.
MOF Val IT
Phase SMF Process Domain Process Key Mgmt. Practices
PM1.1 Review & ensure
clarity of the business
strategy and goals
PM1.2 Identify
PM1 Establish
opportunities for IT to
Define an IT Service PORTFOLIO strategic direction
influence and support
Strategy MANAGEMENT and target
the business strategy
investment mix
PM1.4 Translate the
business strategy and
goals into IT strategy
and goals
VG3.1 Define portfolio
VG3 Define types
VALUE
Identify and Map Services portfolio VG3.2 Define
GOVERNANCE
characteristics categories (within
portfolios)
Business/IT PM1 Establish
PLAN PM1.3 Define an
Alignment strategic direction
appropriate investment
and target
mix
investment mix
PM4.1 Evaluate and
assign relative scores to
program business cases
PM4.2 Create an overall
Identify Demand and
PORTFOLIO investment portfolio view
Manage Business
MANAGEMENT PM4.3 Make and
Requests PM4 Evaluate and
communicate
select programs to
investment decisions
fund
PM4.4 Specify stage-
gates and allocate funds
to selected programs
PM4.5 Adjust business
targets, forecasts and
budgets
MOF Val IT
VG3.3 Develop and
communicate evaluation
criteria (for each
category)
VG3 Define
Develop and Evaluate IT VG3.4 Assign
portfolio
Service Portfolio weightings to criteria
characteristics
VG3.5 Define
requirements for stage-
Business/IT VALUE gates and other reviews
Alignment GOVERNANCE (for each category)
VG5.1 Identify key
metrics
VG5 Establish VG5.2 Define
Service Level effective information capture
Management governance processes and
monitoring approaches
VG5.3 Define reporting
methods and techniques
Planning PM6.1 Optimize

PM6 Optimize investment portfolio
PORTFOLIO investment performance
Reliability Implementation
MANAGEMENT portfolio
performance PM6.2 Reprioritize the
Monitoring & Improving investment portfolio
Plans
VG2.2 Assess the
quality and coverage of
Determine Areas current processes
PLAN Requiring Policies VG2.3 Identify and
prioritize process
requirements
Create Policies
VG2 Define and VG2.4 Define and
Validate Policy
implement document the processes
processes
Policy
VG2.5 Establish,
implement and
Publish Policy communicate roles,
responsibilities and
VALUE accountabilities
GOVERNANCE VG2.6 Establish
organizational structures
Enforce & Evaluate Policy VG5 Establish VG5.4 Identify and
effective monitor performance
Review & Maintain Policy governance improvement actions
monitoring
VG4.1 Review current
enterprise budgeting
VG4 Align and practices
Establish Service integrate value VG4.2 Determine value
Financial
Requirements and Plan management with management financial
Management
Budget enterprise financial planning practice
planning requirements
VG4.3 Identify changes
required
Appendix A – Detailed Mapping of MOF Interfaces to Val IT 27
MOF Val IT
Establish Service PM2 Determine PM2.1 Determine overall
PORTFOLIO
Requirements and Plan the availability and investment funds
MANAGEMENT
Budget sources of funds
Financial Manage Finances VG4 Align and
Management VG4.4 Implement
integrate value
optimal financial
Perform IT Accounting management with
planning practices for
and Reporting enterprise financial
VALUE value management
planning
GOVERNANCE
VG5 Establish VG5.4 Identify and
effective monitor performance
Service Alignment
governance improvement actions
PLAN monitoring
PM5 Monitor and
report on PM5.1 Monitor and
Management investment report on investment
Review portfolio portfolio performance
performance
PORTFOLIO
Portfolio Management
MANAGEMENT PM6 Optimize PM6.1 Optimize
investment investment portfolio
portfolio performance
investment portfolio
MOF Val IT
Organize the Core IM1.1 Recognize
Team investment opportunities
IM1 Develop &
Write the Vision/Scope IM1.2 Develop the initial
evaluate the
Document program concept
Envision initial program
business case
concept
Approve the business case IM1.3 Evaluate the initial
Vision/Scope program concept
Document business case
IM2 IM2.1 Develop a clear &
Understand the complete understanding
Evaluate Products and candidate of the candidate program
Technologies program and IM2.2 Perform analysis of
implementation the alternatives
options
IM4.1 Identify full life-
cycle costs and benefits
IM4 Develop
IM4.2 Develop a benefits
Write the Functional full life-cycle
realization plan
Specification costs and
benefits IM4.3 Perform
appropriate reviews and
obtain sign-offs
IM5.1 Develop the
Project IM5 Develop detailed program
Planning the detailed business case
candidate
program IM5.2 Assign clear
Package the Master
business case accountability and
Project Plan
ownership
INVESTMENT
DELIVER
MANAGEMENT
IM3 Develop
IM3.1 Develop the
the program
program plan
Create the Master plan
Schedule
IM5 Develop
Review the Project the detailed IM5.3 Perform
Plans Approved candidate appropriate reviews and
Milestone program obtain sign-offs
business case
Prepare for
Development
Develop the Solution
Build
Prepare for Release
Review the Scope
Complete Milestone
Stabilize a Release IM6 Launch
Candidate IM6.2 Manage the
and manage
program
Stabilize Conduct a Pilot Test the program
Review the Release

Readiness Milestone
Deploy Core
Components
Deploy
Deploy Sites
Stabilize Deployment
MOF Val IT
Review the IM6 Launch
IM6.2 Manage the
Deploy Deployment Complete and manage
program
Milestone the program
IM7 Update
IM7.1 Update operational
operational IT
INVESTMENT IT portfolios
DELIVER Project Plan Approved portfolios
MANAGEMENT
Management IM8 Update the IM8.1 Update the
Review business case business case
Release Readiness IM6 Launch IM6.2 Manage the
and manage program
the program
MOF Val IT
Define Operational
Work Requirements
Build Operational Work
Instructions
Plan Operational Work
Operations Execute Operational Not Applicable Not Applicable Not Applicable
Work
Maintain Operational
Work Instructions
Manage Operational
Work
VG5.1 Identify key
metrics
VG5 Establish
Define Service VG5.2 Define information
VALUE effective
Monitoring capture processes and
GOVERNANCE governance
Requirements approaches
monitoring
Implement New
Not Applicable Not Applicable Not Applicable
Service
VALUE effective monitor performance
GOVERNANCE governance improvement actions
Service monitoring
Monitoring & Continuous Monitoring
Control PM5 Monitor PM5.1 Monitor and report
OPERATE and report on on investment portfolio
PORTFOLIO
investment performance
MANAGEMENT
portfolio
performance
VALUE effective monitor performance
GOVERNANCE governance improvement actions
monitoring
Control & Reporting PM5 Monitor PM5.1 Monitor and report
and report on on investment portfolio
PORTFOLIO
MANAGEMENT
portfolio
performance
Record the User‘s
Request
Classify the User‘s
Request Not Applicable Not Applicable Not Applicable
Customer Resolve the Request
Service
Confirm Resolution
and Close the Request
IM9 Monitor IM9.3 Monitor and report
INVESTMENT
Ensure Good Service and report on on operational (service
MANAGEMENT
the program delivery) performance
Document the Problem
Problem
Filter the Problem Not Applicable Not Applicable Not Applicable
Management
Research the Problem
MOF Val IT
Problem INVESTMENT
Research the Outcome and report on on operational (service
Management MANAGEMENT
PM5 Monitor PM5.1 Monitor and report
and report on on investment portfolio
portfolio
performance
PORTFOLIO
OPERATE
MANAGEMENT PM6.1 Optimize
Management PM6 Optimize investment portfolio
Operational Health
Review investment performance
portfolio
INVESTMENT
and report on on operational (service
MANAGEMENT
MOF Val IT
VG1.1 Develop an
understanding of the
significance of IT and
the role of governance
VG1.2 Establish
effective reporting lines
VG1 Establish
VG1.3 Establish a
informed and
leadership forum
committed
leadership VG1.4 Define value for
the enterprise
VG1.5 Ensure
alignment and
integration of business
and IT strategies with
key business goals
VG2.1 Define the value
governance framework.
VG2.2 Assess the
quality and coverage of
current processes.
Establish IT
Governance VG2.3 Identify and
VALUE prioritize process
GOVERNANCE requirements.
VG2 Define and
implement VG2.4 Define and
processes document the
processes.
Governance, VG2.5 Establish,
MANAGE
Risk, and implement and
LAYER
Compliance communicate roles,
responsibilities and
accountabilities.
VG2.6 Establish
organizational structures
VG5.1 Identify key
metrics
VG5.2 Define
information capture
VG5 Establish processes and
effective approaches
governance
monitoring
VG5.4 Identify and
monitor performance
improvement action
PM5 Monitor and PM5.1 Monitor and
report on report on investment
investment portfolio performance
Assess, Monitor, and portfolio
Control Risk performance
PORTFOLIO
MANAGEMENT PM6.1 Optimize
PM6 Optimize investment portfolio
portfolio
MOF Val IT
IM9.1 Monitor and report
on program (solution
delivery) performance
IM9 Monitor and IM9.2 Monitor and report
report on the on business (benefit/
Governance, Assess, Monitor, and INVESTMENT program outcome) performance
Risk, and Control Risk MANAGEMENT
IM9.3 Monitor and report
Compliance on operational (service
delivery) performance
IM10 Retire the IM10.1 Retire the
program program
Comply with Directives Not Applicable Not Applicable Not Applicable
Baseline the
Configuration
Initiate the Change
Classify the Change
Approve and Schedule
Change and
the Change Not Applicable Not Applicable Not Applicable
Configuration
Develop and Test the
Change
Release the Change
Validate and Review
the Change
MANAGE
LAYER PM3.1 Create and
maintain an inventory of
business human
resources (HR)
PM3.2 Understand the
current & future demand
(for business HR)
PM3.3 Identify shortfalls
(between current and
future business HR
demand)
PM3.4 Create and
maintain tactical plans
PM3 Manage the (for business HR)
Identify Changes PORTFOLIO
Team availability of PM3.5 Monitor, review &
Needed MANAGEMENT
human resources adjust (business function
allocation & staffing)
PM3.6 Create and
maintain an inventory of
IT HR
PM3.7 Understand the
current & future demand
(for IT HR)
PM3.8 Identify shortfalls
(between current and
future IT HR demand)
PM3.9 Create and
maintain tactical plans
(for IT HR)
MOF Val IT
Align Responsibilities PM3 Manage the PM3.10 Monitor, review
PORTFOLIO
Team availability of and adjust (IT function
Assign Roles MANAGEMENT
MANAGE human resources allocation and staffing)
LAYER VG6 Continuously VG6.1 Implement
Management VALUE
Policy & Control improve value lessons learned
Review GOVERNANCE
mgmt. practices
Appendix B – Detailed Mapping of
MOF Components to COBIT
The tables in this appendix are organized by MOF phases with all of the respective SMFs
mapped to the relevant COBIT components where applicable. Note that a few SMF
processes do not map to its corresponding COBIT domain, but rather to a different COBIT
domain. For instance, the Service Level Management process under the Plan phase‘s
Business/IT Alignment SMF, maps to COBIT‘s Deliver & Support domain‘s DS1
process. Conversely, certain COBIT processes do not map to its corresponding MOF
phase. As an example, COBIT‘s PO10 Manage Projects process does not map to any
MOF Plan phase SMFs but rather to MOF‘s Deliver phase‘s Envision and Project
Planning SMFs. These items are noted at the end of each MOF phase table.
MOF COBIT
Phase SMF Process Domain Process Control Objectives
PO1.1 IT Value
Management
Define an IT Service PO1 Define a
PO1.2 Business-IT
Strategy Strategic IT Plan
Alignment
PO1.4 IT Strategic Plan
PO1.2 Business-IT
PO1 Define a Alignment
Identify and Map Services PLAN & Strategic IT Plan
ORGANIZE PO1.5 IT Tactical Plans
Identify Demand and PO1.2 Business-IT
Manage Business PO1 Define a Alignment
Requests Strategic IT Plan
Business/IT PO1.5 IT Tactical Plans
Alignment
Develop and Evaluate IT PO1.3 Assessment of
PO1 Define a
Service Portfolio Current Capability and
Strategic IT Plan
Performance
DS1.1 Service Level
Management Framework
PLAN DS1.2 Definition of
DS1 Define and Services
DELIVER &
Service Level Management Manage Service
SUPPORT DS1.3 Service Level
Levels
Agreements
DS1.4 Operating Level
Agreements
PO2.1 Enterprise
Information Architecture
Model
PO2 Define the
PO2.2 Enterprise Data
Information
Dictionary and Data
Architecture
Syntax Rules
PLAN &
Reliability Planning PO2.3 Data Classification
ORGANIZE
Scheme
PO3.1 Technological
PO3 Determine Direction Planning
Technological
Direction PO3.2 Technology
Infrastructure Plan
MOF COBIT
PO2 Define the PO2.4 Integrity
Information Management
Architecture
Implementation PO3 Determine PO3.4 Technology
Technological Standards
Direction PO3.5 IT Architecture
Board
PO3 Determine PO3.3 Monitor Future
Technological Trends and Regulations
Direction
Reliability PO8.1 Quality

Management System
PO8.2 IT Standards and
Quality Practices
Monitoring & Improving
Plans PO8.3 Development and
PO8 Manage Acquisition Standards
Quality PO8.4 Customer Focus
PO8.5 Continuous
Improvement
PO8.6 Quality
Measurement, Monitoring
and Review
PO6 Communicate PO6.1 IT Policy and
Management Aims Control Environment
and Direction PO6.2 Enterprise IT Risk
PLAN &
PLAN and Control Framework
ORGANIZE
PO9.1 IT Risk
Management Framework
PO9.2 Establishment of
Determine Areas Requiring
Risk Context
Policies
PO9.3 Event
PO9 Assess and Identification
Manage IT Risks
PO9.4 Risk Assessment
PO9.5 Risk Response
PO9.6 Maintenance and
Monitoring of a Risk
Policy Action Plan
Create Policies PO6 Communicate PO6.3 IT Policies Mgmt.
Management Aims
and Direction
Validate Policy PO6 Communicate PO6.3 IT Policies Mgmt.
Management Aims
and Direction
Publish Policy PO6 Communicate PO6.3 IT Policies Mgmt.
Management Aims PO6.5 Communication of
and Direction IT Objectives and
Direction
Enforce & Evaluate Policy PO6 Communicate PO6.3 IT Policies Mgmt.
Management Aims PO6.4 Policy, Standard
and Direction and Procedures Rollout
Review & Maintain Policy PO6 Communicate PO6.3 IT Policies Mgmt.
PLAN &
PLAN Policy Management Aims
ORGANIZE
and Direction
Appendix B – Detailed Mapping of MOF Components to COBIT 37
MOF COBIT
Establish Service PO5 Manage the IT PO5.1 Financial
Requirements and Plan Investment Management Framework
Budget PO5.2 Prioritization
Within IT Budget
Financial
Management Manage Finances PO5 Manage the IT PO5.3 IT Budgeting
Investment PO5.4 Cost Management
Perform IT Accounting and PO5 Manage the IT PO5.4 Cost Management
Reporting Investment PO5.5 Benefit Mgmt.
Service Alignment DS1 Define and DS1.5 Monitoring and
DELIVER &
Manage Service Reporting of Service
Management SUPPORT
Levels Level Achievements
Review
Portfolio Management PLAN & PO1 Define a PO1.6 IT Portfolio
ORGANIZE Strategic IT Plan Management
Notes:
 COBIT‘s PO4 Define the IT Processes, Organization, & Relationships process and
control objectives map to MOF‘s GRC SMF under the MANAGE layer.
 COBIT‘s PO7 Manage IT Human Resources process and control objectives map to
MOF‘s Team SMF under the MANAGE layer.
 COBIT‘s PO10 Manage Projects process and control objectives map to MOF‘s
Envision and Project Planning SMFs under the DELIVER phase, as well as the
Establish IT Governance SMF under the MANAGE layer.
MOF COBIT
Organize the Core PO10.4 Stakeholder
Team Commitment
Write the Vision/Scope PO10.5 Project Scope
PLAN & PO10 Manage
Envision Document Statement
ORGANIZE Projects
Approve the PO10.6 Project Phase
Vision/Scope Initiation
Document
AI1.1 Definition and
Maintenance of Business
Functional and Technical
Requirements
AI1.2 Risk Analysis
AI1 Identify Report
Automated AI1.3 Feasibility Study
Solutions and Formulation of
Alternative Courses of
Action
AI1.4 Requirements and
Evaluate Products and Feasibility Decision and
Technologies Approval
AI2 Acquire and AI2.1 High-level Design
Maintain
Application
Software
AI3.1 Technological
AI3 Acquire and Infrastructure Acquisition
DELIVER Maintain Plan
Technology AI3.2 Infrastructure
Infrastructure Resource Protection and
Availability
Project ACQUIRE &
Planning IMPLEMENT AI1.1 Definition and
AI1 Identify
Maintenance of Business
Automated
Functional and Technical
Solutions
Requirements
Write the Functional AI2.2 Detailed Design
Specification AI2 Acquire and AI2.9 Applications
Maintain Requirements
Application Management
Software AI2.10 Application
Software Maintenance
AI5.1 Procurement
Control
AI5.2 Supplier Contract
AI5 Procure IT Management
Resources
AI5.3 Supplier Selection
Package the Master AI5.4 IT Resources
Project Plan Acquisition
AI7.2 Test Plan
AI7 Install and
AI7.3 Implementation
Accredit
Plan
Solutions and
Changes AI7.5 System and Data
Conversion
Project Package the Master PLAN & PO10 Manage PO10.7 Integrated
DELIVER
Planning Project Plan ORGANIZE Projects Project Plan
MOF COBIT
Create the Master PO10.8 Project
Schedule Resources
Review the Project PO10.9 Project Risk

Plans Approved PO10 Manage Management
Milestone Projects PO10.10 Project Quality
Plan
AI3 Acquire and AI3.3 Infrastructure

Maintain Maintenance
Technology AI3.4 Feasibility Test
Prepare for Infrastructure Environment
Development
AI7 Install and AI7.4 Test Environment
Accredit
Solutions and
Changes
AI2.3 Application Control
and Auditability
ACQUIRE & AI2.4 Application Security
IMPLEMENT and Availability
Develop the Solution AI2.5 Configuration and
Build AI2 Acquire and Implementation of
Maintain Acquired Application
Application Software
Software AI2.7 Development of
Application Software
AI2.6 Major Upgrades to
Existing Systems
AI2.8 Software Quality
Prepare for Release Assurance
DS7 Educate DS7.1 Identification of
DELIVER &
and Train Users Education and Training
SUPPORT
Needs
Review the Scope PLAN & PO10 Manage PO10.9 Project Risk
Complete Milestone ORGANIZE Projects Management
Stabilize a Release AI7 Install and AI7.6 Testing of Changes
Candidate ACQUIRE & Accredit
Conduct a Pilot Test IMPLEMENT Solutions and AI7.7 Final Acceptance
Stabilize Changes Test
Review the Release PLAN & PO10 Manage PO10.9 Project Risk
Readiness Milestone ORGANIZE Projects Management
AI4.1 Planning for
Operational Solutions
AI4.2 Knowledge
Transfer to Business
AI4 Enable Management
Deploy Core ACQUIRE &
Deploy Operation and
Components IMPLEMENT AI4.3 Knowledge
Use
Transfer to End Users
AI4.4 Knowledge
Transfer to Operations
and Support Staff
MOF COBIT
DS7.2 Delivery of
DELIVER & DS7 Educate Training and Education
Deploy Core SUPPORT and Train Users DS7.3 Evaluation of
Components Training Received
AI7.8 Promotion to
Deploy Production
Deploy Sites AI7 Install and
Stabilize Deployment ACQUIRE & Accredit AI7.6 Testing of Changes
DELIVER
IMPLEMENT Solutions and
Review the Changes AI7.9 Post-implementa-
Deployment Complete tion Review
Milestone
Project Plan Approved PO10.6 Project Phase
Management PLAN & PO10 Manage Initiation
Release Readiness
Review ORGANIZE Projects PO10.9 Project Risk
Management
Notes:
 COBIT‘s AI6 Manage Changes process and control objectives map to MOF‘s
Change and Configuration SMF under the MANAGE layer.
MOF COBIT
Define Operational
Work Requirements DS13.1 Operations
Procedures and
Build Operational Work Instructions
Instructions
DS13.2 Job Scheduling
DS13 Manage DS13.3 IT Infrastructure
Operations Monitoring
DS13.4 Sensitive
Documents and Output
Devices
DS13.5 Preventive
Maintenance for
Hardware
DS4.1 IT Continuity
DS4 Ensure Framework
Continuous DS4.2 IT Continuity Plans
Service DS4.3 Critical IT
Resources
DS5.1 Management of IT
Security
Plan Operational Work DS5 Ensure DS5.2 IT Security Plan
Systems DS5.3 Identity
DELIVER & Security Management
OPERATE Operations
SUPPORT
DS5.6 Security Incident
Definition
DS6 Identify DS6.1 Definition of
and Allocate Services
Costs
DS11.1 Business
Requirements for Data
DS11 Manage Management
Data DS11.6 Security
Requirements for Data
Management
DS12 Manage DS12.1 Site Selection
the Physical and Layout
Environment
DS13.2 Job Scheduling
DS13.3 IT Infrastructure
Monitoring
Execute Operational DS13 Manage DS13.4 Sensitive
Work Operations Documents and Output
Devices
DS13.5 Preventive
Maintenance for
Hardware
MOF COBIT
DS4.4 Maintenance of
the IT Continuity Plan
DS4.5 Testing of the IT
Continuity Plan
DS4.6 IT Continuity Plan
DS4 Ensure Training
Continuous
Service DS4.7 Distribution of the
IT Continuity Plan
DS4.8 IT Services
Recovery & Resumption
DS4.9 Offsite Backup
Storage
DS5.4 User Account
Management
DS5.5 Security Testing,
Surveillance & Monitoring
DS5.7 Protection of
Security Technology
DS5 Ensure
DS5.8 Cryptographic Key
Systems
Management
Security
DS5.9 Malicious Software
Execute Operational
Prevention, Detection and
Work
Correction
DS5.10 Network Security
DS5.11 Exchange of
DELIVER & Sensitive Data
OPERATE Operations
SUPPORT DS6 Identify DS6.2 IT Accounting
and Allocate DS6.3 Cost Modeling and
Costs Charging
DS11.2 Storage and
Retention Arrangements
DS11.3 Media Library
DS11 Manage Management System
Data
DS11.4 Disposal
DS11.5 Backup and
Restoration
DS12.2 Physical Security
Measures
DS12 Manage
DS12.3 Physical Access
the Physical
Environment DS12.4 Protection
Against Environmental
Factors
Maintain Operational DS13.1 Operations
DS13 Manage
Work Instructions Procedures and
Operations
Instructions
DS4 Ensure DS4.10 Post-resumption
Continuous Review
Manage Operational Service
Work DS5 Ensure DS5.5 Security Testing,
Systems Surveillance & Monitoring
Security
DS6 Identify DS6.4 Cost Model
Manage Operational DELIVER &
OPERATE Operations and Allocate Maintenance
Work SUPPORT
Costs
MOF COBIT
DS12 Manage DS12.5 Physical Facilities
the Physical Management
Environment
DS1 Define and DS1.2 Definition of
Manage Services
Service Levels DS1.3 Service Level
Agreements
DS2 Manage DS2.1 Identification of All
Define Service Third-party Supplier Relationships
Monitoring Services
Requirements
DS3.1 Performance and
Capacity Planning
DS3.2 Current
DS3 Manage Performance & Capacity
Performance
DS3.3 Future
and Capacity
Performance & Capacity
Implement New DS3.4 IT Resources
Service Availability
DS1 Define and DS1.5 Monitoring and
Manage Reporting of Service
Service Levels Level Achievements
Service
Monitoring & DS2 Manage DS2.4 Supplier
Control Continuous Monitoring Third-party Performance Monitoring
Services
DS3 Manage DS3.5 Monitoring and
Performance Reporting
and Capacity
DS1.5 Monitoring and
Reporting of Service
DS1 Define and Level Achievements
Manage
Service Levels DS1.6 Review of Service
Level Agreements and
Contracts
DS2.2 Supplier
Control & Reporting
DS2 Manage Relationship
Third-party Management
Services DS2.3 Supplier Risk
Management
and Capacity
Record the User‘s
Request DS8.1 Service Desk
DS8.2 Registration of
Classify the User‘s DS8 Manage Customer Queries
Customer Request Service Desk
Service
Resolve the Request and Incidents DS8.3 Incident Escalation
Confirm Resolution and DS8.4 Incident Closure
Close the Request
OPERATE Customer Ensure Good Service DELIVER & DS8 Manage DS8.5 Reporting and
MOF COBIT
Service SUPPORT Service Desk Trend Analysis
and Incidents
Document the Problem DS10.1 Identification and
Filter the Problem Classification of Problems
DS10.2 Problem Tracking

Problem Research the Problem DS10 Manage and Resolution
Management Problems
DS10.3 Problem Closure
Research the Outcome DS10.4 Integration of
Configuration, Incident &
Problem Management
DS1.5 Monitoring and
Reporting of Service
DS1 Define and Level Achievements
Manage
Service Levels DS1.6 Review of Service
Level Agreements and
Contracts
and Capacity
Management DS8 Manage DS8.5 Reporting and

Operational Health Service Desk Trend Analysis
Review
and Incidents
ME1.1 Monitoring
Approach
ME1.2 Definition and
Collection of Monitoring
Data
ME1 Monitor
MONITOR & ME1.3 Monitoring Method
and Evaluate IT
EVALUATE
Performance ME1.4 Performance
Assessment
ME1.5 Board and
Executive Reporting
ME1.6 Remedial Actions
Notes:
 COBIT‘s DS7 Educate and Train Users process and control objectives map to
MOF‘s Build and Deploy SMFs under the DELIVER phase.
 COBIT‘s DS9 Manage the Configuration process and control objectives map to
MOF‘s Change and Configuration SMF (Baseline the Configuration process)
under the MANAGE layer.
MOF COBIT
PO4.1 IT Process
Framework
PO4.2 IT Strategy
Committee
PO4.3 IT Steering
Committee
PO4 Define the IT
PO4.4 Organizational
Processes,
Placement of the IT
Organization, &
Function
Relationships
PO4.5 IT Organizational
PLAN & Structure
ORGANIZE
Roles and
Responsibilities
Establish IT PO4.15 Relationships
Governance
PO10.1 Program Mgmt.
Framework
PO10 Manage PO10.2 Project Mgmt.
Projects Framework
PO10.3 Project
Management Approach
Governance, ME4.1 Establishment of
MANAGE
Risk, and an IT Governance
LAYER
Compliance Framework
ME4.2 Strategic
ME4 Provide IT Alignment
Governance ME4.3 Value Delivery
ME4.4 Resource
Management
ME4.5 Risk Management
ME2.1 Monitoring of
Internal Control
MONITOR &
Framework
EVALUATE
ME2.2 Supervisory
Review
Assess, Monitor, and
Control Risk ME2.3 Control
ME2 Monitor and Exceptions
Evaluate Internal ME2.4 Control Self-
Control assessment
ME2.6 Internal Control at
Third Parties
ME2.5 Assurance of
Comply with Directives
Internal Control
MOF COBIT
ME3.1 Identification of
External Legal,
Regulatory and
Contractual Compliance
Requirements
ME3.2 Optimization of
ME3 Ensure Response to External
Governance,
MONITOR & Compliance With Requirements
Risk, and Comply with Directives
EVALUATE External
Compliance ME3.3 Evaluation of
Requirements
Compliance With External
Requirements
ME3.4 Positive
Assurance of Compliance
ME3.5 Integrated
Reporting
DS9.1 Configuration
Repository and Baseline
DS9.2 Identification and
Baseline the DELIVER & DS9 Manage the
Maintenance of
Configuration SUPPORT Configuration
Configuration Items
DS9.3 Configuration
Integrity Review
Initiate the Change AI6.1 Change Standards
Change and and Procedures
Configuration Classify the Change
AI6.2 Impact
MANAGE Approve and Schedule Assessment, Prioritization
LAYER the Change and Authorization
ACQUIRE & AI6 Manage AI6.3 Emergency
Develop and Test the IMPLEMENT Changes Changes
Change
AI6.4 Change Status
Release the Change Tracking and Reporting
Validate and Review AI6.5 Change Closure
the Change and Documentation
PO4 Define the IT PO4.12 IT Staffing

Processes, PO4.13 Key IT Personnel
Organization, &
Relationships
PO7.1 Personnel
Recruitment & Retention
PO7.2 Personnel
Competencies
Identify Changes PLAN & PO7.3 Staffing of Roles
Team
Needed ORGANIZE PO7.4 Personnel Training
PO7 Manage IT PO7.5 Dependence Upon
Human Resources Individuals
PO7.6 Personnel
Clearance Procedures
PO7.7 Employee Job
Performance Evaluation
PO7.8 Job Change and
Termination
MOF COBIT
Roles & Responsibilities
PO4.7 Responsibility for
Align Responsibilities IT Quality Assurance
PO4.8 Responsibility for
PO4 Define the IT Risk, Security &
PLAN & Processes, Compliance
Team
ORGANIZE Organization, & PO4.9 Data and System
Relationships Ownership
MANAGE PO4.10 Supervision
LAYER Assign Roles PO4.11 Segregation of
Duties
PO4.14 Contracted Staff
Policies and Procedures
ME2.1 Monitoring of
Internal Control
ME2 Monitor and Framework
Management MONITOR &
Policy & Control Evaluate Internal
Review EVALUATE ME2.3 Control
Control
Exceptions
Notes:
 COBIT‘s ME1 Monitor and Evaluate IT Performance process and control objectives
map to MOF‘s Operational Health Management Review SMF under the OPERATE
layer.
Appendix C – Glossary
Control Objectives for Information and related Technology (C OBIT)
A control framework for IT governance developed and published by the Information
Technology Governance Institute (ITGI), which is affiliated with the Information
Systems Audit and Control Association (ISACA). COBIT provides good practices
across a domain and process framework and presents activities in a manageable and
logical structure. COBIT‘s good practices represent the consensus of experts. They
are strongly focused more on control, less on execution. These practices help
optimize IT-enabled investments, ensure service delivery and provide a measure
against which to judge when things do go wrong.
EUDPD (European Union Data Protection Directive)

European Union‘s Directive 95/46/EC on the protection of individuals with regard to
the processing of personal data and on the free movement of such data. The
directive was implemented in 1995 by the European Commission.
GLBA (Graham-Leach-Bliley Act)

Also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub.L.
106-102, 113 Stat. 1338, enacted November 12, 1999, is an Act of the United States
Congress which repealed part of the Glass-Steagall Act of 1933, opening up
competition among banks, securities companies and insurance companies. In terms
of compliance, the key rules under the Act include The Financial Privacy Rule which
governs the collection and disclosure of customers‘ personal financial information by
financial institutions. It also applies to companies, regardless of whether they are
financial institutions, who receive such information. The Safeguards Rule requires all
financial institutions to design, implement and maintain safeguards to protect
customer information.
GRC
Governance (IT) – IT governance is led by senior management and consists of
activities that clarify who holds the power to make decisions, determine accountability
for actions and responsibility for outcomes, and address how expected performance
will be evaluated.
Risk – the possibility of adverse effects on business or IT objectives. Risk is
measured in terms of impact and likelihood.
Compliance – an application of risk management that ensures that IT conforms with
governmental regulations, laws, and company-specific policies—in other words, a
means to ensure that the organization is actually doing what it has said it will do.
ITIL (Information Technology Infrastructure Library)

ITIL is a set of concepts and policies for managing information technology (IT)
infrastructure, development and operations. ITIL is published in a series of books,
each of which covers an IT management topic. The names ITIL and IT Infrastructure
Library are registered trademarks of the United Kingdom's Office of Government
Commerce (OGC). ITIL gives a detailed description of a number of important IT
practices with comprehensive checklists, tasks and procedures that can be tailored to
any IT organization.
Information Systems Audit and Control Association (ISACA)

A non-profit organization that promotes IT governance and control standards and
practices by supporting its professional members through education, resource
sharing, advocacy, and professional networking.
Information Technology Governance Institute (ITGI)

A non-profit, independent research entity that provides guidance for the global
business community on issues related to the governance of IT assets. ITGI was
established by the non-profit membership association ISACA in 1998 to help ensure
that IT delivers value and its risks are mitigated through alignment with enterprise
objectives, IT resources are properly allocated, and IT performance is measured.
Microsoft Operations Framework (MOF)

MOF was created by Microsoft to provide IT professionals with guidance across the
entire IT life cycle. Completed in early 2008, MOF 4.0 integrates community-
generated processes; governance, risk, and compliance activities; management
reviews, and best practices. The guidance in MOF encompasses all of the activities
and processes involved in managing an IT service: its conception, development,
operation, maintenance, and retirement.
Operating Level Agreement (OLA)

An internal agreement between one or more of the IT teams that support the
requirements set forth in the service level agreements (SLAs).
PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS is a worldwide security standard assembled by the Payment Card Industry
Security Standards Council (PCI SSC). The PCI security standards are technical and
operational requirements that were created to help organizations that process card
payments prevent credit card fraud, hacking and various other security vulnerabilities
and threats. The standards apply to all organizations that store, process or transmit
cardholder data – with guidance for software developers and manufacturers of
applications and devices used in those transactions. A company processing, storing,
or transmitting cardholder data must be PCI DSS compliant.
RACI
A list of activities for which the person in a job role is Responsible, Accountable,
Consulted, or Informed about that activity.
Return on Investment (ROI)

The ratio of money gained or lost on an investment relative to the amount of money
invested. The ROI is used to evaluate which projects to pursue, and to manage
benefit projections during a project to ensure that realized benefits will be close to the
predicted benefits.
Risk Exposure
The combined impact and likelihood level of a risk based on its associated threat and
vulnerability.
Service Catalog
A comprehensive list of services, including priorities of the business and
corresponding SLAs, maintained and published by the IT organization.
Service Level Agreement (SLA)

A written agreement documenting the required levels of service. The SLA is agreed
on by the IT service provider and the business, or by the IT service provider and a
third-party provider. SLAs should list the metrics and measures that both sides use to
define success.
Service Management Function (SMF)

A core part of MOF that provides operational guidance for Microsoft technologies
employed in computing environments for information technology applications. SMFs
help organizations to achieve mission-critical system reliability, availability,
supportability, and manageability of IT solutions.
Solution Accelerators
Microsoft Solution Accelerators are free, authoritative resources to help IT
Professionals proactively plan, integrate, and operate IT systems. The main home
page is at http://technet.microsoft.com/en-us/solutionaccelerators/default.aspx.
SOX (Sarbanes-Oxley Act)

Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform
and Investor Protection Act of 2002 and commonly called Sarbanes-Oxley, Sarbox or
SOX, is a United States federal law enacted on July 30, 2002 in response to a
number of major corporate and accounting scandals. The Act establishes a new
quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB,
which is charged with overseeing, regulating, inspecting, and disciplining accounting
firms in their roles as auditors of public companies. Section 404 of the Act also
covers issues such as auditor independence, corporate governance, and internal
control assessment.
Val IT
Val IT was created and is maintained by the ITGI, which is an independent non-profit
research institute affiliated with the ISACA. Val IT was developed subsequent to
COBIT when the ITGI recognized the need for a framework that sets good practices
for the process of value creation by providing enterprises with the structure they
require to measure, monitor and optimize the realization of business value from their
investment in IT. Val IT integrates a set of practical and proven governance
principles, processes, practices and supporting guidelines that were developed
based on the collective experience of a global team of practitioners and academics,
existing and emerging practices and methodologies, and a rapidly growing body of
research.
Appendix D – References
IT Governance Institute, COBIT 4.1 Edition, USA, 2007, www.itgi.org
IT Governance Institute, Val IT 2.0 Edition, USA, 2008, www.itgi.org
Microsoft Corporation, MOF Version 4.0, USA, 2008, www.microsoft.com/mof (includes

best practices, job aids, and tools)
Microsoft‘s IT Governance and Compliance Solution Accelerators webpage:

www.microsoft.com/compliance (includes IT Compliance Management Guide, Security
Risk Management Guide, other best practices, and tools)
Pultorak D., Henry, C. and Leenards P, MOF 4.0 Pocket Guide, Van Haren Publishing,
USA, 2008

MOF COBIT-ValIT Cross-Impl Guide Final

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MOF COBIT-ValIT Cross-Impl Guide Final

Hochgeladen von

Copyright:

Verfügbare Formate

MOF to COBIT/Val IT Comparison

and Cross-Implementation Guide

How to Leverage MOF in a COBIT/Val IT Environment

Published: June 2009

For the latest information, please see www.microsoft.com/datagovernance

Michael Kranawetter, CISA, CISM, CIPP

Jeffrey Miller, CGEIT, CISSP

Roin Nance, CPA, CISA

Jerry J. Trammel, MBA/MHA, CISSP, CHC

Acknowledgements ........................................................................................ iii

IT operations is constantly faced with the challenge of managing IT services in a manner

Overview and Focus

Figure 1 - MOF, Val IT, COBIT, and ITIL

 Investment management – ensures that the enterprise‘s individual IT-enabled

Figure 2 - Val IT Domains and Processes

 IT is aligned with the business

Figure 3 - COBIT Framework

Figure 5 - MOF, COBIT, Val IT Relationship

MOF SMFs to COBIT

Meanwhile, MOF addresses the operational implementation question: Are we enabling

Figure 6 - MOF High-level Interfaces to Val IT

Value Portfolio Investment

Figure 7 - High-level MOF Mapping to COBIT

Domain Plan & Acquire & Deliver & Monitor &

each COBIT domain. A detailed mapping of MOF to COBIT is presented in Appendix B.

 Applications. The operating system(s) and other applications the service

Figure 8 - Sample User Account Management Service Map

User Account Owners

External Users Windows

Workflow Core Network

Figure 9 - Risk-based Prioritization Map

L = Low Low Priority Don’t Do

Effort & Complexity to Resolve

Planning PM6.1 Optimize

Review the Release

Reliability PO8.1 Quality

Review the Project PO10.9 Project Risk

AI3 Acquire and AI3.3 Infrastructure

DS10.2 Problem Tracking

Management DS8 Manage DS8.5 Reporting and

PO4 Define the IT PO4.12 IT Staffing

EUDPD (European Union Data Protection Directive)

GLBA (Graham-Leach-Bliley Act)

ITIL (Information Technology Infrastructure Library)

Information Systems Audit and Control Association (ISACA)

Information Technology Governance Institute (ITGI)

Microsoft Operations Framework (MOF)

Operating Level Agreement (OLA)

PCI DSS (Payment Card Industry Data Security Standard)

Return on Investment (ROI)

Service Level Agreement (SLA)

Service Management Function (SMF)

SOX (Sarbanes-Oxley Act)

IT Governance Institute, Val IT 2.0 Edition, USA, 2008, www.itgi.org

Microsoft Corporation, MOF Version 4.0, USA, 2008, www.microsoft.com/mof (includes

Microsoft‘s IT Governance and Compliance Solution Accelerators webpage:

Das könnte Ihnen auch gefallen