COBIT Case Study: Information and Communications Technology Study of Public Health Institutions in Mexico 


Come join the discussionCome join the discussion! Carlos Zamora Sotelo and Carlos H. García Orozco will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.

  • Select the main processes
  • Identify the current health services’ capacities, gaps and risk factors related to those gaps
  • Reach implementation and maturity goals

Figure 1


COBIT 5 utilization in the ICT assessment of public health institutions in Mexico was focused on the following areas:

  • Defining the IT substantive processes—According to COBIT 5 and as a first step, ConSETI and Brio selected the business objectives that had higher impact on the citizens. Eight were selected and mapped, as shown in figure 1, resulting in 13 IT-related objectives, highlighted in green in figure 1.

    The second step was to map IT-selected objectives vs. the 37 primary COBIT processes. Figure 2 is an example of the Align, Plan and Organize (APO) process with seven priority processes. The total number of processes selected was 34.

Figure 2

  • Scoring processes capacities—For this assessment, the COBIT 4.1 process maturity model was used rather than the newer COBIT Process Assessment Model (PAM) because the PAM framework was released after the conclusion of the assessment.

    The COBIT 4.1 process maturity model was used for scoring IT-selected processes, taking into account the following attributes: responsibility and accountability; skills and expertise; policies, plans and procedures; awareness and communication; goal setting and measurement; and tools and automation. Every attribute was evaluated according to the level of maturity defined in COBIT, to obtain the final score for every selected process, as shown in figure 3.

Figure 3

  • Gap analysis—To determine gaps, the fourth maturity level of capacity (the process is able to generate the results defined) was defined as the goal to achieve and it was contrasted against the capacity level evaluated previously. Process capability level 4 (ensure efficient and effective health services, and make predictable processes) was established as the goal and is the basis for further definition of the strategy and action plan.
  • Associated risk—To identify the risk factors of each COBIT process selected, identified gaps were taken into the gap analysis performed, thus evaluating the potential negative impact that these gaps could have if not adequately addressed and materialized. Relevant and inherent risk scenarios for each process were generated. For this, it was necessary to build on the mapping of COBIT risk scenarios. Figure 4 is an example of the mapping performed.

    It is important to mention that, in the identification of risk scenarios, ConSETI and Brio did not evaluate the frequency of occurrence of identified risk.

Figure 4


Integrating the COBIT 5 framework into the ICT Study of Public Health Institutions in Mexico has resulted in the following positive impacts:

  • The development of a well-defined, standardized analysis methodology, to determine gaps and risk factors associated to the main IT processes selected for health services institutions, related and aligned to major problems, such as the availability of health records and medical consultation time improvement
  • Better alignment among IT and business goals and pain points
  • The generation of proposals, projects and IT strategies based on gap and risk analysis, according to the capacity goal defined

At this point, COBIT 5 has been used only in the as-is diagnosis. In the future, the sponsors of this study plan to use the same framework for the to-be state, in order to define a competitive products and services portfolio, within and while implementing governance of enterprise IT assurance.