Assessing Security Control Framework Impact in the Retail Sector: What Value Can COBIT 5 Add to ITIL Adoption?

Lal, Vishal
Cusack, Brian
Item type
Degree name
Master of Computer and Information Sciences
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

Due to advancements in technology, retailers have gained the ability to reach out to a greater clientele base. Retailers have invested heavily in e-marketing in order to promote themselves to customers who would otherwise be out of reach of a physical retail shop. Online marketing allows retailers to advertise through AdWords, emails ad text messages and general web advertising. The consequence is that retailers have introduced many new IT processes to accommodate customer and business needs. While these developments allow retailers to maximize their earning potential, it also brings about risks such as those to information security, and increasing costs due to not implementing efficient IT processes. In order to maintain competitiveness in the market they need to implement best practices prescribed by industry standards and the use of control frameworks for risk management. Since a business works as a system, various processes tend to be dependent on each other and therefore, it becomes necessary for service level agreements to be in place so that processes are not delayed. Failure to perform one critical task inappropriately could potentially cause a domino like effect on other processes. Unfortunately, not all task performers adhere to procedures and thus negatively impact the overall performance of the business, meaning that the business doesn’t perform as efficiently as it would if processes were performed in accordance to the standards. To combat this issue, IT auditors use different audit tools to assess the efficiency of IT process and determine and recommend ways to improve these processes so that they perform at optimised levels. The purpose of this research is to perform a maturity assessment on three IT processes used in a retail business. These processes are the Security Access Requests, the End of Day Process, and the Campaign Loading Process. The assessment process involves observing research participants performing these processes and then interviewing them to identify the issues that prevented the processes being performed at higher efficiency levels. The research participants were also asked to give each of their respective processes a maturity rating and how in their opinion these ratings could be improved. The maturity ratings were based on the Capability Maturity Model Interface from COBIT 5. The ratings were then analysed based on the observations made and interview responses. The research question is: What Value Can COBIT 5 Add to ITIL Adoption? The findings from the research show that there are many reasons that a process may not be performing at the best efficiency level. Factors contributing to the increase of a capability maturity level measure are: The existence of service level agreements, the intention to follow standard operating procedures, effective training and a commitment to continuous improvement. The absences of any of these are detrimental to business performance as whole. It was also discovered in the research that implementing recommendations for improvements have costs attached to them. These costs can be anything from financial, time consumption, and resources utilisation. The findings show that sometimes processes can be improved by using the services of in-house development teams. They also show that sometimes the best way to improve a process is to simply follow the required steps prescribed for the process. Therefore, the value we are looking at relates to the benefits or gains derived from adopting a control framework. The outcome of this research provides a thorough understanding of using COBIT 5 CMMI to assess the level of maturity attained by various IT processes in the retail sector. It also enables readers to understand the problems faced by process operators that affect the level of efficiency. In addition, it provides a comprehensive understanding of ways in which processes could be improved and to support the businesses objectives. Moreover, it paves the way for research in the same area using more resources and assessment of a greater number of IT processes as well as related areas such as corporate social responsibility from an IT perspective.

IT Audit , Security Audit , COBIT5 , ITIL , Retail , Process Improvement
Publisher's version
Rights statement