MATURITY MODELS

Currently, the executives and directors of the Organization are asked to

take into account a proper management of IT. For this, it is necessary to
to create a business plan to achieve an optimal level of management and
control of Information Technology.

These maturity models are designed as IT process profiles.

that an Organization would recognize them as possibly current states and
futures, these models are not designed to be limiting, where there are no
You can move on to higher levels without having completed the previous levels.
ancestors, when using maturity models for the 34 IT processes of
COBIT, management will be able to identify:

The actual performance of the Organization: Where the Organization is located

today.
The current status of the Organization: The comparison
The objective of the organization improvement: Where you want to be
Organization.

A maturity model has been defined for each of the 34 IT processes,

with a growing measurement scale starting from 0, non-existent, up to 5,
optimized, the advantage is that it is relatively easy for management to locate itself at
herself on a scale and thus evaluate what should be done if
requires an improvement.

1
 Complete absence of any recognizable process. The
0
The organization has not even recognized that there is a
NON-EXISTENT
problem to solve.
There is evidence that the company has acknowledged that the
problems exist and need to be solved. However;
1 Therearenostandardprocesses;n
i stead,thereareapproaches.
INITIAL ad hoc tend to be applied individually or
case by case. The general approach to management is
disorganized.
The processes have been developed to the point where they
they follow similar procedures in different areas that
they perform the same task. There is no training or
2
formal communication of the standard procedures, and it
REPEATABLE
leave the responsibility to the individual. There is a high degree of

trust in the knowledge of individuals and, therefore

So, mistakes are very likely.
The procedures have been standardized and documented, and
they have been disseminated through training. However,
3 the individual is allowed to decide to use these processes, and it is
DEFINED little likely that deviations will be detected. The
the procedures themselves are not sophisticated but formalize the
existing practices.
It is possible to monitor and measure compliance with the
procedures and take measures when the processes do not
4 be working effectively. The processes are under
ADMINISTEREDconstant improvement and provide good practices. It is used
the automation and tools in a limited way or
fragmented.
The processes have been refined to the level of better.
5 practice, is based on the results of continuous improvement and
OPTIMIZED in a maturity model with other companies. IT is used for
integrated way to automate the workflow,

2
 providing tools to improve quality and
effectiveness, causing the company to adapt in a way
quick.

The criteria are formed by:

Effectiveness: It has to do with the information being

relevant and pertinent to the business processes, and it
provide in a timely, correct, consistent and
usable.
Efficiency: It consists of the information being generated
with the optimal (most productive and economical) use of the
resources.
Confidentiality: It refers to the protection of
sensitive information against unauthorized disclosure.
Integrity: It is related to accuracy and completeness.
of the information, as well as with its validity according to the
business expectations values.
Availability: It refers to the information being
available when required by the business processes
at any time. It also concerns the protection of
the necessary resources and associated capabilities.
Compliance: It has to do with adhering to those laws,
regulations and contractual agreements to which it is subject
the business process, that is, business criteria
externally imposed taxes, as well as internal policies.
Reliability: It refers to providing the information.
suitable for management to administer the entity and exercise
his fiduciary and governance responsibilities
The resources are:

The applications: Include both automated user systems as well as

manual procedures that process information.

3
 The information: It is data in all its forms, of input,
processed and generated by information systems, in any
the way they are used by the business.
The infrastructure: It is the technology and facilities (hardware, systems
operational, database management systems, networks, multimedia,
etc., as well as the site where they are located and the environment that supports them)

that allow the processing of applications.

The people (Human Resources): They are the staff required to
plan, organize, acquire, implement, deliver, support, monitor and
evaluate the systems and information services.

Qualitative Maturity Models (COSO)

The impact of the control objectives is represented in a table below.

on COBIT 4.1 regarding the criteria and IT resources.

The way it affects each of the processes is identified by:

The degree of Primary impact (P): What is the degree to which the objective of

defined control directly impacts the information requirement of

interest.

The degree of Secondary Impact (S): What is the degree to which the objective
defined control satisfies only indirectly or to a lesser extent
measure to the request for information of interest.
White Space (Empty): That has no impact whatsoever on the
information requirements.

4
The selection of administrative resources specifically for each
the process is via an X. See table 1.1.

CRITERIA OF INFORMATION IT RESOURCES

P01 Define the IT strategy P S X X X X

Define the architecture of
P02 S P S P X X
information

P03 Determine the technological P

direction. P X X
P04 Define processes, organization and P P X
IT relationships.
P05 Manage investments in IT P P S X X X
P06 Communicate the aspirations and the P S X X
Management address
P07 Manage human resources P P X
of IT
P08 Manage Quality P P S S X X X X
P09 Evaluate and manage IT risks S S P P P S S X X X X
P10 Manage projects P P X X X

5
A01 Identify automated solutions P S X X
AI2 Acquire and maintain software P P S S X
application
AI3 Acquire and maintain the S P S S X
technological infrastructure
AI4 Facilitate operation and use P P S S S S X X X
AI5 Acquire IT resources P S X X X X
AI6 Define service levels P P S S S S S X X X X
AI7 Install and certify solutions and P S S S X X X X
changes

DS1 Define service levels P P S S S S S X X X X

DS2 Manage third-party services P P S S S S S X X X X
DS3 Manage performance and capacity P P S X X X X
DS4 Ensure service continuity P S P X X X X
DS5 Ensure the security of systems P P S S S X X X X
DS6 Identify and assign costs P P X X X X
DS7 Educate and train users P S X
DS8 Manage the service desk and P P X X
the incidents
DS9 Manage the settings P S S S X X X
DS10 Manage problems P P S X X X X
DS11 Manage the data P P X
DS12 Manage the physical environment P P X
DS13 Manage the operations P P S S X X X X

M1 Monitor and evaluate performance P P S S S S S X X X X

of IT
M2 Monitor and evaluate the control P P S S S S S X X X X
internal
M3 Ensure regulatory compliance P S X X X X
M4 Provide IT governance P [Translation
S S notSprovided
S due
S toX the Xlack X
of content.]
X
TABLE 1.1 SUMMARY OF COBIT CONTROL OBJECTIVES FRAMEWORK

6
To obtain the percentages of the information criteria or the percentage of
efectividad
and reliability of the National University José Faustino Sánchez Carrión is
assign a value to the Primary impact degree whose effect is high or strong,
Secondary whose effect is mild or medium and White (empty) which has none
impact.
This percentage is established based on a methodological proposal.
established by a risk management methodology such as COSO.

COSO (Committee of Sponsoring Organizations of the Treadway Commission) establishes a weighting

for the degree of impact that the information criteria have within a
process, in addition to allowing to determine the level of risk that said
process, for which it establishes grading ranges for the low levels,
medium high; as can be seen in the following table.

CALIF% IMPACT
15% 50% Under
51% 75% Medium
76% 95% High
- - Empty

TABLE 1.2 Average Impacts, source COBIT 4.1

7
 MATURITY MODELS OF PROCESSES

A sheet will be shown below for each of the objectives.

An analysis of the maturity models of COBIT 4.1 to determine the level
minimum that the Organization does not meet, which in turn rates the level.
said objective.

DOMAIN: PLANNING AND ORGANIZING

PO1: Define the Strategic Information Technology Plan

LEVEL OF MATURITY OBSERVATIONS

There is no awareness on the part of LEVEL OF MATURITY

the management of planning The process of Defining the Strategic Plan
Level
IT strategy is required for √ of Information Technology is in the
0
support the goals of the maturity level 1.
business. UNMET OBJECTIVES
The strategic planning of IT is That there is no strategic plan
Level
discusses occasionally in the √ of IT and resource strategies of
1
management meetings. the Organization.
The decisions strategic are No long-term plans will be made
they take it project by project, of IT.
Level
without being consistent with a √
2
strategy global of the
organization.
The strategic planning of IT
follow a structured approach, the
which is documented and given to
meet the entire team. The
Level
human resources strategies √
3
technical and financial of IT
are increasingly influencing the
acquisition of new products
and technologies.
There are well-defined processes.
Level to determine and the use of
√
4 internal and external resources
required in the development and the
operations of the systems.

8
 Realistic plans are being developed to
long-term IT and are updated from
Level way constantly to reflect the
√
5 changing technological advances
RECOMMENDATIONS
For the PO1 process of COBIT, establish the following control objectives:
Long-term IT plans.
Make strategic decisions.
Define the necessary internal and external resources.
To reach maturity level 2, the following strategies must be adopted:
In the Short Term:
Evaluate current performance, that is to say conduct an assessment of the existing plans, thus
about information systems and their impact on the objectives of the University
National José Faustino Sánchez Carrión.
In the Long Term:
Create tactical IT plans for the future, resulting from the strategic IT plan, these plans
They must be well detailed in order to carry out the definition of projected plans.

DOMAIN: PLANNING AND ORGANIZING

PO2: Define the Information Architecture

LEVEL OF MATURITY Observations

Knowledge, experience and the LEVEL OF MATURITY

Level responsibilities necessary for The process of Defining the Architecture of
0 there is no existing architecture to develop √
the information is at the level of
in the organization. maturity 0.
The management recognizes the need for UNFULFILLED OBJECTIVES
an information architecture. The That needs were not resolved
Level
development of some components √
1 future of the business doing the
of an information architecture
it occurs on an ad hoc basis. architecture process of the
The people they obtain sus information.
skills in building the Take advantage the skills
Level
information architecture by √ personnel for construction
2 through practical experience and the of architecture from the
repeated application of techniques. information.
There is a management function
of data formally defined, that
Level sets standards for the entire
√
3 organization, and start reporting
about the application and use of the
information architecture.

9
 The process of definition of the
Information architecture level is pro-
√
4 active and focuses on solving
future needs of the business.
The IT staff has the
experience y the skills
necessary to develop and give
Level
maintenance of an architecture of √
5 robust and sensitive information that
reflect all the requirements of the
business.
RECOMMENDATIONS
For the PO2 process of COBIT, the following control objectives are established:
Develop and maintain the information architecture.
To have a clear understanding of the definition of the information architecture process.
Be a participant in the construction of information architecture to increase its
skills.
To reach maturity level 1, the following strategies must be adopted:
In the Short Term:
Establish and maintain an information architecture model to facilitate the
application development and support activities for decision-making, this model
it will be useful for the optimal creation, use, and sharing of vital information.
In the Long Term:
Define and implement procedures to ensure integrity and consistency of all the
data that is stored in electronic format, such as databases,
data and file storage.

DOMAIN: PLAN AND ORGANIZE

PO3: Determine the Technology Direction

LEVEL OF MATURITY OBSERVATIONS

There is no awareness about the Degree of maturity

Importance level of planning of the The process of Determining the Direction
√
0 technological infrastructure for the Technology is at maturity level 2.
entity. UNMET OBJECTIVES
Management recognizes the need Develop the skills for the
to plan the infrastructure preparation of the plan of the
Technological level. The development of technological infrastructure.
√
1 technological components and the Carry out a plan of
implementation of technologies technological infrastructure.
emergent are ad hoc and isolated.
The evaluation of the changes
Technological levels are delegated to individuals.
√
2 that follow intuitive processes,
although similar.

10
 There is an infrastructure plan
defined technological
Level
documented and well disseminated, √
3
although it is applied in a way
inconsistent.
The computer science area has
Level the experience and the skills
√
4 necessary to develop a plan
of technological infrastructure.
The direction of the plan of
technological infrastructure is
driven by the standards and
Level
advances industrial e √
5
international, instead of being
guided by the suppliers of
technology.
RECOMMENDATIONS
For the PO3 process of COBIT, the following control objectives are established:
Develop a technology infrastructure plan.
Drive the orientation of technological infrastructure towards suppliers.
Do not delegate technological changes to people who do not have the necessary experience.
To reach maturity level 3, the following strategies must be adopted:
In the Short Term:
Planning the technological direction, that is, analyzing the existing technologies and
emerging, to consider which technological direction is appropriate to achieve
comply with IT strategies and the business system architecture.
In the Long Term:
Conduct a process of monitoring technological trends, if possible to establish
a technological forum, in order to provide technological guidelines.

11
GENERAL REPORT ON MATURITY DEGREES

PROCESSES

P01 Define the Information Technology Strategic Plan 1

P02 Define the Information Architecture 0
P03 Determine the Technology Direction 2
P04 Define the Processes, Organization, and IT Relationships
2
AI1 Identify Automated Solutions 1
AI2 Acquire and Maintain Application Software 1
AI3 Acquire and Maintain Technological Infrastructure 3
AI4 Facilitate the Operation and Use 1
AI5 Acquire IT Resources 2
Define and Manage Service Levels 1
DS2 Manage Third Party Services 3
DS3 Manage Performance and Capability 1
DS4 Ensure Service Continuity 0
DS5 Ensure the Security of Systems 2
ME1 Monitor and Evaluate IT Performance 2
ME2 Monitor and Evaluate Internal Control 1
ME3 Ensure Regulatory Compliance 0
ME4 Provide IT Governance 1

12
SUMMARY OF ANALYSIS BY DOMAINS:

Domain: Planning and Organizing (PO)



Domain: Acquire and Implement (AI)

Domain: Delivery and Support (DS)

Domain: Monitoring and Evaluation (ME)

13
SUMMARY OF PROCESSES AND INFORMATION CRITERIA BY
IMPACT

INFORMATION CRITERIA

PROCESSES

P01 Define the Strategic Plan 0.86

of 0.63
Information Technology
Total real (impact * Real Level) 0.86 1
Total ideal (impact * Ideal Level) 4.3 3.15 5
P02 Define the Architecture of 0.63
the 0.86 0.63 0.86
Information
Total real (impact * Real Level) 0 0 0 0 0
Total ideal (impact * Ideal Level) 3.15 4.3 3.15 4.3 5
P03 Determine the Direction 0.86 0.86
Technological
Total real (impact * Real Level) 1.72 1.72 2
Total ideal (impact * Ideal Level) 4.3 4.3 5
P04 Define the Processes, the 0.86 0.86
Organization and Relationships
of IT
Total real (impact * Real Level) 1.72 1.72 2
Total ideal (impact * Ideal Level) 4.3 4.3 5
AI1 Identify Solutions 0.86 0.63
Automated
Total real (impact * RealLevel) 0.86 0.63 1
Total ideal (impact * Ideal Level) 4.3 3.15 5
AI2 Acquire and Maintain Software 0.86 0.86 0.63 0.63
Application
Total real (impact * RealLevel) 0.86 0.86 0.63 0.63 1
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 5
AI3 Acquire and Maintain 0.63 0.86 0.63 0.63
Technological Infrastructure
Total real (impact * RealLevel) 0 0 0 0 0
Total ideal (impact * Ideal Level) 3.15 4.3 3.15 3.15 5
AI4 0.86 0.86
Facilitate the Operation and the Use 0.63 0.63 0.63 0.63
Total real (impact * RealLevel) 0.86 0.86 0.63 0.63 0.63 0.63 1
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 3.15 5
AI5 Acquire IT Resources 0.63 0.86 0.63
Total real (impact * RealLevel) 1.26 1.72 1.26 2
Total ideal (impact * Ideal Level) 3.15 3.15 5
Define and Manage the Levels 0.86 0.86 0.63 0.63 0.63 0.63 0.63
of Service
Total real (impact * RealLevel) 0.86 0.86 0.63 0.63 0.63 0.63 0.63 1

14
 Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 3.15 3.15 5
DS2 Manage the Services of 0.86 0.86 0.63 0.63 0.63 0.63 0.63
Third parties
Total real (impact * RealLevel) 2.58 2.58 1.89 1.89 1.89 1.89 1.89 3
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 3.15 3.15 5
DS3 Manage Performance and 0.86 0.86 0.63
Capacity
Total real (impact * RealLevel) 0.86 0.86 0.63 1
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 5
DS4 Ensure Continuity of 0.86 0.63 0.86
Service
Total real (impact * RealLevel) 1.72 1.26 1.72 2
Total ideal (impact * Ideal Level) 4.3 3.15 4.3 5
DS5 Guarantee the Security of the 0.86 0.86 0.63 0.63 0.63
Systems
Total real (impact * RealLevel) 0.86 0.86 0.63 0.63 0.63 1
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 5
ME1 Monitor and Evaluate the 0.86 0.86 0.63 0.63 0.63 0.63 0.63
IT performance
Total real (impact * RealLevel) 1.72 1.72 1.26 1.26 1.26 1.26 1.26 2
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 3.15 3.15 5
ME2 Monitor and Evaluate Control 0.86 0.86 0.63 0.63 0.63 0.63 0.63
Internal
Total real (impact * RealLevel) 0.86 0.86 0.63 0.63 0.63 0.63 0.63 1
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 3.15 3.15 5
ME3 Ensure Compliance 0.86 0.63
Regulatory
Total real (impact * RealLevel) 0 0 0
Total ideal (impact * Ideal Level) 4.3 3.15 5
Provide IT Governance 0.86 0.86 0.63 0.63 0.63 0.63 0.63
Total real (impact * RealLevel) 0.86 0.86 0.63 0.63 0.63 0.63 0.63 1
Total ideal (impact * Ideal Level) 4.3 4.3 3.15 3.15 3.15 3.15 3.15 5

FINAL RESULTS OF THE IMPACT ON THE CRITERIA OF

INFORMATION

Total real
17.6 17.14 5.9 7.16 8.65 7.56 6.93
(impact*realLevel)
Total ideal
65.35 65.35 23.2 33.8 32.65 31.95 28.35
(impact*idealLevel)
PorcentajeAlcanzado26.93 26.23 25.43 21.18 26.49 23.66 24.44 24.9

15
Next, we analyze each of the information criteria:

EFFECTIVENESS.
For this information criterion, a percentage was obtained.
26.93% of 100%, meaning that the information is of importance
for 'THE COMPANY', which has an impact on business processes and
must be delivered in a timely, consistent, and truthful manner has a
percentage of 26.93%.

EFFICIENCY. For this information criterion, a percentage of

26.23% of 100%, meaning that the information that should be generated by the use
The optimization of the resources of 'The COMPANY' has a percentage of 26.23%.

CONFIDENTIALITY.-

INTEGRITY.

AVAILABILITY.

COMPLIANCE.

RELIABILITY.

16
RECOMMENDATIONS

17