Search Knowledge

Category: Uncategorized

Operations Management –DSS01 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Deliver, Service and Support (DSS)

Managed Operations

Coordinate and execute the activities and operational procedures required to deliver internal and outsourced I&T services. Include the execution of predefined standard operating procedures and the required monitoring activities.


Deliver I&T operational product and service outcomes as planned.

Management practices

DSS01.01 Perform operational procedures.

Maintain and perform operational procedures and operational tasks reliably and consistently.

DSS01.02 Manage outsourced I&T services.

Manage the operation of outsourced I&T services to maintain the protection of enterprise information and reliability of service delivery.

DSS01.03 Monitor I&T infrastructure.

Monitor the I&T infrastructure and related events. Store sufficient chronological information in operations logs to reconstruct and review time sequences of operations and other activities surrounding or supporting operations.

DSS01.04 Manage the environment.

Maintain measures for protection against environmental factors. Install specialized equipment and devices to monitor and control the environment.

DSS01.05 Manage facilities.

Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines.


Database administration DBAD

The installation, configuration, upgrade, administration, monitoring and maintenance of databases. Providing support for operational databases in production use and for internal or interim purposes such as iterative developments and testing. Improving the performance of databases and the tools and processes for database administration (including automation).

Facilities management DCMA

The planning, control and management of all the facilities which, collectively, make up the IT estate. This involves provision and management of the physical environment, including space and power allocation, and environmental monitoring to provide statistics on energy usage. Encompasses physical access control, and adherence to all mandatory policies and regulations concerning health and safety at work.

IT infrastructure ITOP

The operation and control of the IT infrastructure (comprising physical or virtual hardware, software, network services and data storage) either on-premises or provisioned as cloud services) that is required to deliver and support the information systems needs of a business. Includes preparation for new or changed services, operation of the change process, the maintenance of regulatory, legal and professional standards, the building and management of systems and components in virtualised and cloud computing environments and the monitoring of performance of systems and services in relation to their contribution to business performance, their security and their sustainability. The application of infrastructure management tools to automate the provisioning, testing, deployment and monitoring of infrastructure components.

Methods and tools METL

The definition, tailoring, implementation, assessment, measurement, automation and improvement of methods and tools to support planning, development, testing, operation, management and maintenance of systems. Ensuring methods and tools are adopted and used effectively throughout the organisation.

Storage management STMG

The planning, implementation, configuration and tuning of storage hardware and software covering online, offline, remote and offsite data storage (backup, archiving and recovery) and ensuring compliance with regulatory and security requirements.

Service Requests and Incident Management – DSS02 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Deliver, Service and Support (DSS)

Managed Service Requests and Incidents

Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfil user requests; and record, investigate, diagnose, escalate and resolve incidents


Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents. Assess the impact of changes and deal with service incidents. Resolve user requests and restore service in response to incidents.

Management practices

DSS02.01 Define classification schemes for incidents and

service requests.

Define classification schemes and models for incidents and service requests.

DSS02.02 Record, classify and prioritize requests and incidents.

Identify, record and classify service requests and incidents and assign a priority according to business criticality and service agreements

DSS02.03 Verify, approve and fulfill service requests.

Select the appropriate request procedures and verify that the service requests fulfill defined request criteria. Obtain approval, if required, and fulfill the requests.

DSS02.04 Investigate, diagnose and allocate incidents.

Identify and record incident symptoms, determine possible causes, and allocate for resolution.

DSS02.05 Resolve and recover from incidents.

Document, apply and test the identified solutions or workarounds. Perform recovery actions to restore the I&T-related service.

DSS02.06 Close service requests and incidents.

Verify satisfactory incident resolution and/or fulfilment of requests,and close.

DSS02.07 Track status and produce reports.

Regularly track, analyze and report incidents and fulfilment of requests. Examine trends to provide information for continual improvement.


Application Support ASUP

The provision of application maintenance and support services, either directly to users of the systems or to service delivery functions. Support typically includes investigation and resolution of issues and may also include performance monitoring. Issues may be resolved by providing advice or training to users, by devising corrections (permanent or temporary) for faults, making general or site-specific modifications, updating documentation, manipulating data, or defining enhancements Support often involves close collaboration with the system’s developers and/or with colleagues specialising in different areas, such as Database administration or Network support.

Customer service support CSMG

The management and operation of one or more customer service or service desk functions. Acting as a point of contact to support service users and customers reporting issues, requesting information, access, or other services. The delivery of customer service through multiple channels including human, digital, self-service and automated.

Incident management USUP

The processing and coordination of appropriate and timely responses to incident reports, including channelling requests for help to appropriate functions for resolution, monitoring resolution activity, and keeping clients appraised of progress towards service restoration.

Network support  NTAS

The provision of network maintenance and support services. Support may be provided both to users of the systems and to service delivery functions. Support typically takes the form of investigating and resolving problems and providing information about the systems. It may also include monitoring their performance. Problems may be resolved by providing advice or training to users about the network’s functionality, correct operation or constraints, by devising work-arounds, correcting faults, or making general or site-specific modifications.

Problems Management – DSS03 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Deliver, Service and Support (DSS)

Managed Problems

Identify and classify problems and their root causes. Provide timely resolution to prevent recurring incidents. Provide recommendations for improvements.


Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution.

Management Practice

DSS03.01 Identify and classify problems.

Define and implement criteria and procedures to identify and report problems. Include problem classification, categorization and prioritization.

DSS03.02 Investigate and diagnose problems.

Investigate and diagnose problems using relevant subject matter experts to assess and analyze root causes.

DSS03.03 Raise known errors.

As soon as root causes of problems are identified, create known-error records, document appropriate workarounds and identify potential solutions.

DSS03.04 Resolve and close problems.

Identify and initiate sustainable solutions addressing the root cause. Raise change requests via the established change management process, if required, to resolve errors. Ensure that the personnel affected are aware of the actions taken and the plans developed to prevent future incidents from occurring.

DSS03.05 Perform proactive problem management.

Collect and analyze operational data (especially incident and change records) to identify emerging trends that may indicate problems. Log problem records to enable assessment.


Problem Management – PBMG

The resolution (both reactive and proactive) of problems throughout the information system lifecycle, including classification, prioritisation and initiation of action, documentation of root causes and implementation of remedies to prevent future incidents.

Continuity Management – DSS04 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Deliver, Service and Support (DSS)

Managed Continuity

Establish and maintain a plan to enable the business and IT organizations to respond to incidents and quickly adapt to disruptions. This will enable continued operations of critical business processes and required I&T services and maintain availability of resources, assets and information at a level acceptable to the enterprise.


Adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).

Management practices

DSS04.01 Define the business continuity policy, objectives and scope.

Define business continuity policy and scope, aligned with enterprise and stakeholder objectives, to improve business resilience.

DSS04.02 Maintain business resilience.

Evaluate business resilience options and choose a cost-effective and viable strategy that will ensure enterprise continuity, disaster recovery and incident response in the face of a disaster or other major incident or disruption.

DSS04.03 Develop and implement a business continuity response.

Develop a business continuity plan (BCP) and disaster recovery plan (DRP) based on the strategy. Document all procedures necessary for the enterprise to continue critical activities in the event of an incident.

DSS04.04 Exercise, test and review the business continuity plan (BCP)

and disaster response plan (DRP).

Test continuity on a regular basis to exercise plans against predetermined outcomes, uphold business resilience and allow innovative solutions to be developed.

DSS04.05 Review, maintain and improve the continuity plans.

Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plans in accordance with the change control process to ensure that continuity plans are kept up to date and continually reflect actual business requirements.

DSS04.06 Conduct continuity plan training.

Provide all concerned internal and external parties with regular training sessions regarding procedures and their roles and responsibilities in case of disruption.

DSS04.07 Manage backup arrangements.

Maintain availability of business-critical information.

DSS04.08 Conduct post-resumption review.

Assess the adequacy of the business continuity plan (BCP) and disaster response plan (DRP) following successful resumption of business processes and services after a disruption.


Continuity management COPL

The provision of service continuity planning and support, as part of, or in close cooperation with, the function which plans business continuity for the whole organisation. The identification of information systems which support critical business processes. The assessment of risks to critical systems’ availability, integrity and confidentiality. The co-ordination of planning, designing, testing and maintenance procedures and contingency plans to address exposures and maintain agreed levels of continuity.

Security Service Management–DSS05 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Deliver, Service and Support (DSS)

Managed Security Service

Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy.


Minimize the business impact of operational information security vulnerabilities and incidents.

Management Practice

DSS05.01 Protect against malicious software.

Implement and maintain preventive, detective and corrective measures (especially up-to-date security patches and virus control) across the enterprise to protect information systems and technology from malicious software (e.g., ransomware, malware, viruses, worms, spyware, spam).

DSS05.02 Manage network and connectivity security.

Use security measures and related management procedures to protect information over all methods of connectivity.

DSS05.03 Manage endpoint security.

Ensure that endpoints (e.g., laptop, desktop, server, and other mobile and network devices or software) are secured at a level that is equal to or greater than the defined security requirements for the information processed, stored or transmitted.

DSS05.04 Manage user identity and logical access.

Ensure that all users have information access rights in accordance with business requirements. Coordinate with business units that manage their own access rights within business processes.

DSS05.05 Manage physical access to I&T assets.

Define and implement procedures (including emergency procedures) to grant, limit and revoke access to premises, buildings and areas, according to business need. Access to premises, buildings and areas should be justified, authorized, logged and monitored. This requirement applies to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.

DSS05.06 Manage sensitive documents and output devices.

Establish appropriate physical safeguards, accounting practices and inventory management regarding sensitive I&T assets, such as special forms, negotiable instruments, special-purpose printers or security tokens.

DSS05.07 Manage vulnerabilities and monitor the infrastructure for

security-related events.

Using a portfolio of tools and technologies (e.g., intrusion detection tools), manage vulnerabilities and monitor the infrastructure for unauthorized access. Ensure that security tools, technologies and detection are integrated with general event monitoring and incident management.


Information security SCTY

The selection, design, justification, implementation and operation of controls and management strategies to maintain the security, confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.

Penetration testing PENT

The assessment of organisational vulnerabilities through the design and execution of penetration tests that demonstrate how an adversary can either subvert the organisation’s security goals or achieve specific adversarial objectives. Penetration testing may be a stand-alone activity or an aspect of acceptance testing prior to an approval to operate. The identification of deeper insights into the business risks of various vulnerabilities.

Security administration SCAD

The provision of operational security management and administrative services. Typically includes the authorisation and monitoring of access to IT facilities or infrastructure, the investigation of unauthorised access and compliance with relevant legislation.

Business Process Controls management -DSS06 (COBIT2019)

Parent Framework: COBIT 2019

Domain: Deliver, Service and Support (DSS)

Managed Business Process Controls

Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements. Manage and operate adequate input, throughput and output controls (application controls) to ensure that information and information processing satisfy these requirements.


Maintain information integrity and the security of information assets handled within business processes in the enterprise or its outsourced operation.

Management Practice

DSS06.01 Align control activities embedded in business processes with

enterprise objectives.

Continually assess and monitor the execution of business process activities and related controls (based on enterprise risk), to ensure that processing controls align with business needs.

DSS06.02 Control the processing of information.

Operate the execution of the business process activities and related controls, based on enterprise risk. Ensure that information processing is valid, complete, accurate, timely and secure (i.e., reflects legitimate and authorized business use).

DSS06.03 Manage roles, responsibilities, access privileges and levels of authority.

Manage business roles, responsibilities, levels of authority and segregation of duties needed to support the business process objectives. Authorize access to all information assets related to business information processes, including those under the custody of the business, IT and third parties. This ensures that the business knows where the data are and who is handling data on its behalf.

DSS06.04 Manage errors and exceptions.

Manage business process exceptions and errors and facilitate remediation, executing defined corrective actions and escalating as necessary. This treatment of exceptions and errors provides assurance of the accuracy and integrity of the business information process.

DSS06.05 Ensure traceability and accountability for information events.

Ensure that business information can be traced to an originating business event and associated with accountable parties. This discoverability provides assurance that business information is reliable and has been processed in accordance with defined objectives.

DSS06.06 Secure information assets.

Secure information assets accessible by the business through approved methods, including information in electronic form (e.g., portable media devices, user applications and storage devices, or other methods that create new assets in any form), information in physical form (e.g., source documents or output reports) and information during transit. This benefits the business by providing end-to-end safeguarding of information.


Information security SCTY

The selection, design, justification, implementation and operation of controls and management strategies to maintain the security, confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.

Security Administration SCAD

The provision of operational security management and administrative services. Typically includes the authorisation and monitoring of access to IT facilities or infrastructure, the investigation of unauthorised access and compliance with relevant legislation.