A Governance and Management Framework for Green IT

In recent years, Green Information Technology (IT) has grown enormously, and has become an increasingly important and essential area, providing multiple benefits to the organizations that focus on it. It is for this reason that there is an increasing number of organizations embracing the idea of Green IT. However, Green IT is a very young field and each organization implements it according to its own criteria. That is why it is extremely important to develop the bases or best practices of governance and management that allow organizations to implement Green IT practices correctly and standardize them. In this article, we propose the “Governance and Management Framework for Green IT”, establishing the characteristics needed to carry out the governance and management of Green IT in an organization, and perform audits in this area. This framework is based on COBIT 5, which is a general framework for the control and audit of different areas related to IT. The results obtained through different validations demonstrate the validity and usefulness of the framework developed in the field of Green IT, providing a complete guide to the organizations in their efforts to implement, control and/or improve the practices of Green IT in their processes and day-to-day operations.


Introduction
Our planet is suffering; it faces new and different problems every day that unfortunately cannot be resolved alone.Most (if not all) of these problems have been caused by mankind, and this has led society, and organizations in particular, to increasingly rethink the effectiveness, efficiency and consumption of their activities in the quest to remedy or mitigate their harmful impacts on the environment.
This issue has become a major concern for government organizations around the world, who are pooling their efforts to protect the environment.An example of this is the European Union, which, through its Circular Economy Action Plan [1], is striving for a more sustainable direction of the environment in different fields.One of the main areas where the European Union has focused its attention is the field of Information Technology (IT), which, especially in recent years, has proven to be a potential enemy of the environment.The constant and unstoppable advancement and adoption of technology in all areas has led to an exponential growth in the impact of IT on the environment.
That is why the concept of Green IT has come about, the intention of which is to contribute to eco-sustainability in and from IT.This idea of Green IT has been gaining increasing relevance as a strategy able to add value to business [2], and more and more organizations are adopting Green IT practices within their processes and daily operations [3].
However, Green IT is a field with a short history, and although the number of best practices is increasing, there are no specific standards to help organizations implement the governance and management of Green IT.We thus believe that it is necessary to establish the bases and characteristics necessary to ensure that the adoption of Green IT on behalf of organizations are sufficient and correct with expected performance.
It is with all the above in mind that we propose the "Governance and Management Framework for Green IT", based on COBIT 5 [4] (the "de facto" standard for the governance, management and auditing of different areas related to IT [5,6]), putting forward a whole framework for defining and establishing the bases of governance and management of Green IT in an organization, and carry out Green IT audits.
The rest of the present study is organized as follows: Section 2 contains the related work on Green IT and governance, management and auditing in this area; Section 3 presents the COBIT 5 framework on which part of this work is based; in Section 4 the "Governance and Management Framework for Green IT" is described, along with its most relevant characteristics; in Section 5 the validations carried out on the "Governance and Management Framework for Green IT" are shown; finally, Section 6 presents the conclusions, and sets out future work with respect to the framework that has been developed.

Related Work
Over the last few years, Green IT has been defined in a variety of ways and from different points of view.Among these definitions, one of the best (adapted from [7]) refers to Green IT as "the study and practice of design, manufacture and use of hardware, software and communication systems with a positive impact on the environment".
Green IT has thus emerged, its goal being to bring the field of sustainability [8] closer to IT.In doing so, it aims to reduce or minimize the environmental impact it entails, and even proposes the utilization of IT to optimize the use of resources in other areas [9].This follows the idea provided by Erdélyi [10], in which Green IT is identified from two perspectives:

•
Green by IT: in which IT is understood as an enabler (in the sense of Unhelkar [11]), providing the tools needed to allow tasks of diverse nature in diverse areas to be carried out in a way that is sustainable for the environment.

•
Green in IT: in which IT is understood as a producer; that is, where IT itself has an impact on the environment due to energy consumption and the emissions it produces, this impact must therefore be reduced.
Presently, there are practically no studies related to the governance and management of Green IT and, in particular, to the area of Green IT audits.In [12] a systematic mapping study related to the field of Green IT audits is carried out, in which particular emphasis is placed on the indicators used in this type of audits.This systematic mapping study demonstrates that studies or research related to the area of Green IT audits are practically non-existent; Green IT audit frameworks, in which the governance and management characteristics of Green IT required to carry out implementations in this area are defined, are also conspicuous by their absence.
In fact, in [12] only two studies stand out as being closely related to the area of Green IT audits: on the one hand, in [13] an analysis of the state of the art of Green IT and the importance of carrying out audits in this area is shown; on the other hand, in [14] a survey on the experiences and opinions of the internal auditors of different organizations in relation to the area of Green IT is presented.
As gray literature, we have found two very relevant studies in this area of Green IT audits, which are important to highlight:

•
The first study [15], developed by The Institute of Internal Auditors Research Foundation (IIARF), deals with a survey conducted on a group of organizations and, in particular, on the internal auditors of these organizations.The intention is to see the level of involvement in Green IT on the part of the organizations, analyzing what they are currently doing in this area, in order to identify what they should do in the future.The survey throws into relief the lack of experience and involvement of organizations in the area of Green IT; this in turn provides multiple opportunities for internal auditors to offer a wide variety of services in this area of Green IT, thereby adding value to the business.

•
The second study [16] is about a thesis carried out at Vrije Universiteit Amsterdam, which contains an investigation about what Green IT is, as well as advantages and disadvantages.Furthermore, it contains a proposal on what characteristics should be considered within an audit of Green IT.This thesis also highlights the absence of any framework related to Green IT and audits in this field.
We can therefore observe how novel the field of Green IT is, and appreciate the need to develop a framework for Green IT that will serve as a guide for establishing governance and management of Green IT in organizations, as well as for controlling/auditing that the Green IT implementations are sufficient and correct, and that they work as expected.

COBIT 5
COBIT 5 (Control Objectives for Information and related Technology) [4] is a framework developed by ISACA (Information Systems Audit and Control Association), which has its origins in the control and audit of the IT area.
COBIT 5 has a set of guidelines and best practices for the governance and management of different areas of IT (such as security, risks, etc.), as shown in Figure 1, by which the basis for conducting audits in these areas are established.However, it should be noted that COBIT 5 does not have any specific guidelines for Green IT or sustainability.The survey throws into relief the lack of experience and involvement of organizations in the area of Green IT; this in turn provides multiple opportunities for internal auditors to offer a wide variety of services in this area of Green IT, thereby adding value to the business.

•
The second study [16] is about a thesis carried out at Vrije Universiteit Amsterdam, which contains an investigation about what Green IT is, as well as advantages and disadvantages.Furthermore, it contains a proposal on what characteristics should be considered within an audit of Green IT.This thesis also highlights the absence of any framework related to Green IT and audits in this field.
We can therefore observe how novel the field of Green IT is, and appreciate the need to develop a framework for Green IT that will serve as a guide for establishing governance and management of Green IT in organizations, as well as for controlling/auditing that the Green IT implementations are sufficient and correct, and that they work as expected.

COBIT 5
COBIT 5 (Control Objectives for Information and related Technology) [4] is a framework developed by ISACA (Information Systems Audit and Control Association), which has its origins in the control and audit of the IT area.
COBIT 5 has a set of guidelines and best practices for the governance and management of different areas of IT (such as security, risks, etc.), as shown in Figure 1, by which the basis for conducting audits in these areas are established.However, it should be noted that COBIT 5 does not have any specific guidelines for Green IT or sustainability.In these guides, COBIT 5 establishes a series of enablers, which define the organizational resources for the government and management of a certain area of IT:

•
Principles, policies and frameworks: are the fundamental means to convert the desired behavior into practical guides for day-to-day management.In short, they are the communication mechanisms used to transmit the direction and instructions of the government and management bodies.

•
Processes: are considered as an organized set of activities designed to achieve certain objectives and produce a set of results that support the general goals related to IT.

•
Organizational structures: are the key decision-making bodies in an organization.

•
Culture, ethics and behavior: are a set of individual and collective behaviors of people and organization.In these guides, COBIT 5 establishes a series of enablers, which define the organizational resources for the government and management of a certain area of IT:

•
Principles, policies and frameworks: are the fundamental means to convert the desired behavior into practical guides for day-to-day management.In short, they are the communication mechanisms used to transmit the direction and instructions of the government and management bodies.

•
Processes: are considered as an organized set of activities designed to achieve certain objectives and produce a set of results that support the general goals related to IT.
• Organizational structures: are the key decision-making bodies in an organization.

•
Culture, ethics and behavior: are a set of individual and collective behaviors of people and organization.

•
Information: is essential for the survival of the organization and its good governance.COBIT 5 notes that, at the operational level, information is the key product of the organization itself.

•
Services, infrastructure and applications: provide services and information processing technologies to the organization.

•
People, skills and competencies: are related to people; these are needed if all activities are to be completed satisfactorily and so that decision-making and corrective actions can be carried out properly.
Of these enablers, it is important to highlight the process enabler, as it explicates the practices and activities for setting up the characteristics of all the other enablers.COBIT 5 establishes a total of 37 processes organized in five domains, which in turn are divided into two large areas (see Figure 2):

•
Governance: formed by one domain (Evaluate, Direct and Monitor (EDM)), which contains five processes.Within these, practices of evaluation, direction and monitoring specific to the area of governance of an organization are defined.• Information: is essential for the survival of the organization and its good governance.COBIT 5 notes that, at the operational level, information is the key product of the organization itself.

•
Services, infrastructure and applications: provide services and information processing technologies to the organization.

•
People, skills and competencies: are related to people; these are needed if all activities are to be completed satisfactorily and so that decision-making and corrective actions can be carried out properly.
Of these enablers, it is important to highlight the process enabler, as it explicates the practices and activities for setting up the characteristics of all the other enablers.COBIT 5 establishes a total of 37 processes organized in five domains, which in turn are divided into two large areas (see Figure 2):  As already explained, COBIT 5 not only defines the necessary governance and management characteristics of a specific area of IT, but also establishes a guide for checking that the defined enablers perform as they should; that is, it provides a guide on how to carry out audits on these enablers [17].As already explained, COBIT 5 not only defines the necessary governance and management characteristics of a specific area of IT, but also establishes a guide for checking that the defined enablers perform as they should; that is, it provides a guide on how to carry out audits on these enablers [17].

Governance and Management Framework for Green IT
The framework developed is based on the COBIT 5 framework, from which it has taken the structure of the enablers that it establishes.For each enabler, the characteristics necessary for the governance and management of Green IT have been defined and developed, taking into account Green IT guides such as Murugesan et al. [18].The most notable characteristics of the "Governance and Management Framework for Green IT" are shown in the following sub-sections.

Structure of the Framework
The "Governance and Management Framework for Green IT" is divided into three sections that address the following topics:

•
Section I: where the framework is put into context, explaining the basic concepts of Green IT and the principles of COBIT 5 (bringing these latter closer to the Green IT perspective).

•
Section II: this is the main part of the framework, since it is here that, using the enablers established by COBIT 5 as a reference, the specific governance and management characteristics of Green IT are defined in detail.This section, therefore, contains the following points: Introduction (where the main characteristics of the enablers established by COBIT 5 are defined).Principles, policies and frameworks that are specific to Green IT.Processes related to Green IT.Organizational structures that are specific to Green IT.Culture, ethics and behavior that are specific to Green IT.Information that is specific to Green IT.Services, infrastructure and applications that are specific to Green IT.People, skills and competencies that are specific to Green IT.
• Section III: this last section contains a guide or framework for conducting Green IT audits, following the "Governance and Management Framework for Green IT" and the audit guide defined in COBIT 5 for Assurance [17].This guide for conducting Green IT audits includes the evaluation or audit phases to be followed, as well as the audit questions arising from the process enabler related to Green IT defined in the previous section.
As can be seen, these sections cover different characteristics that are needed for establishing and auditing the governance and management of Green IT in an organization, ending with the absence of specific frameworks for the governance and management of Green IT.
Sections II and III of the "Governance and Management Framework for Green IT" are explained in more detail below.

Principles, Polices and Frameworks
The principles, policies and frameworks that are specific to Green IT define the guidelines established to manage the different members of an organization with respect to the desired behavior in Green IT.This behavior is at all times aimed at defending the idea of sustainability and the Green behavior that we must have towards the environment as defined by European Union [19].
Within Green IT there are no principles and policies defined, so in the "Governance and Management Framework for Green IT" we propose those principles and policies that are considered basic within this field, based on the main principles and policies for IT that are standardized through frameworks such as COBIT 5.
Thus, in relation to the principles that are important to follow in Green IT, we propose that the organizations:

•
Give quality and value to the stakeholders: the commitment of stakeholders to Green IT should be obtained, ensuring that the Green IT is adapted to stakeholder needs and that it meets the needs of goals derived from these.

•
Comply with relevant legal requirements and regulations: those legal requirements and/or regulations that are specific to Green IT and which are related to this should be identified, applied and monitored, in full awareness of legal sanctions that might be imposed if this is not done.

•
Provide convenient and precise information on the functioning of Green IT: a means of communication and a way of gathering information on a regular basis should be established, in an effort to keep all the stakeholders informed about the ongoing performance of Green IT.

•
Evaluate present and future IT capabilities: the present and future capabilities of IT should be evaluated, for supporting the Green IT most suitable for the present and future situations.

•
Promote ongoing improvement in Green IT: techniques and/or best practices of Green IT should be adapted and improved according to the state of the art in the field in question.

•
Adopt a strategy that is based on the efficient use of IT resources: there needs to be a strategy established that assures the effective and efficient use of IT resources in terms of sustainability.

•
Develop the systems in a sustainable way: systems that meet quality and sustainability standards need to be designed, built and put in place.

•
Act professionally and ethically: action on the issue of Green IT should be undertaken responsibly and with awareness of the internal and external impact.

•
Foster a positive culture of Green IT: the importance of Green IT in the day-to-day activities of the organization should be emphasized, so that awareness of the issue amongst people inside the organization and outside it is heightened.
Specific policies of Green IT that should be defined within an organization have been identified as follows: • Policy of Green IT: which includes definition and vision of Green IT, strategic plans for Green IT, alignment of the policy of Green IT with the other high-level policies, identification and development of specific aspects of Green IT, management of the budget and costs of the life cycle of Green IT, and responsibilities associated with Green IT, among others.

•
Policy of acquisition, development and maintenance of IT systems: which includes (taking into account the Green IT) requirements of the IT systems, life cycle of the systems of IT and of Green IT, management of the budget and cost of the life cycle of the IT systems, buying/acquisition processes of the IT systems, management of the life cycle of the IT systems, and responsibilities associated with the acquisition and management of the IT systems, among others.

•
Policy of resource management: which includes (taking into account the Green IT) plan and goals of the resource management, identification of the resources, processes involved in the management of resources related to, or affected by, Green IT, and responsibilities associated with the management of resources related to, or affected by, Green IT, among others.

•
Policy of compliance: which includes areas of Green IT to be evaluated, processes for the evaluation of the compliance of Green IT, metrics, indicators and repositories for the evaluation of compliance of Green IT, and responsibilities associated with the evaluation of compliance of Green IT, among others.

•
Policy of conduct: which includes appropriate use of the techniques and/or best practices of Green IT, and sanctions derived from the inappropriate use of the techniques and/or best practices of Green IT, among others.
• Policy of asset management: which includes classification and definition of the assets related to, or affected by, Green IT, use and prioritization of resources, management of the life cycle of the assets related to, or affected by, Green IT, measures for the protection of the assets related to, or affected by, Green IT, and responsibilities associated with the management of assets related to, or affected by, Green IT, among others.

Processes
The processes of Green IT define a series of best practices and activities that serve to achieve the goals of both Green IT on the one hand, and the IT and the organization on the other.It should be noted that in audits these processes are evaluated, because through them all relevant aspects of governance and management are analyzed through them.
In order to define the processes of Green IT, the COBIT 5 processes have been taken into account.For the analysis and selection of the COBIT 5 processes that are more directly related to Green IT, we conducted a workshop with five experts from an IT department, with more than 10 years of management and research experience, certification in CISA (Certified Information Systems Auditor), experience in auditing, and who are currently working on issues related to Green IT, IT and auditing.
These five experts are: the head of the IT department (with 20 years of experience in the position), the IT quality manager (with 16 years of experience in the position), the IT project manager (with 17 years of experience in the position), the software development manager (with 11 years of experience in the position), and the IT procurement manager (with 13 years of experience in the position).
Thus, in the "Governance and Management Framework for Green IT", of the 37 processes established by COBIT 5, a total of 15 processes have been selected and adapted to the Green IT.It should be noted that only the processes where the five experts have reached a consensus and agreed to include them to the framework have been selected.The selected processes, along with the justification of the choice of each process, are shown below:

•
Governance processes: EDM01.Ensure governance framework setting and maintenance: it is vital to ensure that the organization has a governance framework for Green IT, which identifies the main requirements and characteristics of Green IT for the organization through the different enablers (principles, processes, structures, etc.).EDM02.Ensure benefits delivery: as with other investments, it is very important to ensure that the organization obtains correct benefits delivery (value) from investments made in Green IT.EDM03.Ensure risk optimization: risks are present in all areas of the business, so the organization must define its risk appetite and identify and manage the main risks derived from Green IT at organizational level (from the point of view of governance).EDM04.Ensure resource optimization: Green IT resources (people, facilities, technology, etc.) are essential for the proper operation of this area, so it is the duty of the organization to ensure that the necessary resources to Green IT are allocated, managed and optimized.EDM05.Ensure stakeholder transparency: stakeholders are one of the fundamental pillars in decision-making and in the success of the organization, so it is vital that they are informed of the current state of the organization in the area of Green IT.

• Management processes:
APO01.Manage the IT management framework: in order to maintain the governance framework for Green IT, it is necessary to define and manage a Green IT management framework that translates the characteristics of Green IT from the governance framework into real actions and practices within the organization.
APO02.Manage strategy: it is necessary to define and manage a Green IT strategy (aligned at all times with business objectives), through which the direction to take to achieve the objectives and goals of the business in the area of Green IT is established.APO06.Manage budget and costs: in order for activities and practices of Green IT to work properly, it is necessary to have a budget in line with the needs in this area, so a correct management of budget and costs of Green IT must be carried out.APO08.Manage relationships: Green IT cannot be treated and operated in an isolated way within the organization, so it is important to manage the relationships between Green IT and the business, establishing adequate systems of communication, awareness, etc. BAI02.Manage requirements definition: it is necessary identify, analyze and establish the requirements that will guide the implementation of new practices of Green IT to ensure that they are in line with organization strategic requirements.BAI03.Manage solutions identification and build: to meet the requirements defined by the organization in matters of Green IT, it is necessary to identify and implement those Green IT solutions that allow for compliance with those requirements.BAI09.Manage assets: both the assets and resources of Green IT as well as other relevant assets affected by Green IT within the organization must be managed to ensure that they fulfill with their specific function and the organization obtains optimal value from them.DSS01.Manage operations: as in all other business areas, Green IT operations must be managed to ensure that functional level of Green IT meets all business requirements, regulations, etc. MEA01.Monitor, evaluate and assess performance and conformance: in order to verify that the Green IT meets the requirements of the business, it is necessary to monitor, evaluate and assess the performance and conformance of Green IT, so that decisions and corrective actions can be taken.MEA03.Monitor, evaluate and assess compliance with external requirements: the external requirements (laws, regulations, etc.) in most cases are mandatory, so it is vital to have a system that monitors, evaluates and assesses compliance of the organization's Green IT with these external requirements, to take decisions and corrective actions in this regard.
We have maintained the basic characteristics of the COBIT 5 processes and we have adapted these characteristics with specific aspects of sustainability and Green IT.Thus, in each process we have instantiated and defined the following characteristics:

•
The goals that are specific to Green IT for that process and the metrics that can be used to see if those goals are met.

•
A RACI matrix (a responsibility assignment matrix) in relation to the position of the specific roles of Green IT (defined in the enabler of organizational structures) with respect to the specific practices of this process.

•
The practices of the process that are specific to Green IT, identifying the inputs and outputs of each practice, as well as the activities specific to Green IT, which will define the actions to be evaluated or audited to check if a particular Green IT implementation complies with the process.
Therefore, these processes of Green IT do not seek to replace the COBIT 5 processes to which they refer, but rather, they seek to complement them with aspects of Green IT.
Finally, it is important to note that in the workshop we decided to exclude the remaining 22 processes of COBIT 5 since the practices and activities of those processes are not directly related to Green IT practices.This is due to the fact that Green IT is a specific part of IT that is more abstract and novel, without as many technical requirements, among other reasons.By way of example (the rest are not described for reasons of space), the justification of not including the "APO13: Manage security" process is because the security issues do not affect the Green IT, in the Green IT only specific practices or activities related to sustainability are carried out (safety is not taken into account).

Organizational Structures
The organizational structures that are specific to Green IT establish those roles or decision-makers that are pertinent in this area.
In this regard, the "Governance and Management Framework for Green IT" identified two main roles in the areas of governance and management of Green IT:

•
Chief Sustainability Officer (CSO): has overall responsibility for the management of the whole Green IT life cycle.The CSO is entirely responsible for the program of Green IT in the organization.

•
Sustainability Steering Committee (SSC): has the responsibility of checking that the best practices of Green IT are applied effectively and efficiently throughout the whole organization.
The SSC should ensure that the Green IT performs properly, and that the plan and strategy of Green IT are applied effectively and efficiently throughout the whole organization.
It should be noted that, while the CSO is related more to the area of management of Green IT, the SSC is responsible for the governance of Green IT.
In addition to these specific roles of Green IT, there are other roles that may form part of Green IT decision-making (and as such be members of the SSC).These could be, for example, the Chief Information Officer (CIO) or the Chief Technology Officer (CTO), among others.

Culture, Ethics and Behavior
The culture, ethics and behavior that are specific to Green IT refer to the codes of good conduct and guides of action that define the correct way in which all activities related to Green IT must be carried out by the different members of an organization and by the organization itself.
Within the area of Green IT, in the "Governance and Management Framework for Green IT" the following desirable behaviors are proposed:

•
Green IT is put into practice in day-to-day operations: on the part of the organization, Green IT is included as a key area in the establishment and achievement of the organizational objectives; and, on the part of the individuals, the best practices of Green IT are followed, since the individuals are committed both to Green IT and to the success of the organization.

•
The importance of the policies and principles of Green IT are respected: on the part of the organization, the board of directors and the executive management support the policies and principles of Green IT, approving them, checking them and communicating them to the rest of the organization at regular intervals; and, on the part of the individuals, the policies and principles of Green IT are known and understood, and the guidelines that they establish are followed.

•
The members and stakeholders are provided with enough detailed guidelines on Green IT, and compliance with these is encouraged: on the part of the organization, there is active communication with the members and stakeholders of the organization, in which the relevant aspects of Green IT are reported on in detail (knowledge of these, and compliance with them, is encouraged); and, on the part of the individuals, the relevant aspects of Green IT are known and understood; they are fulfilled and made known to the remaining individuals.

•
The members and stakeholders of the organization are responsible for the proper use of Green IT: on the part of the organization, all the responsibilities and measures in the use of Green IT (disciplinary and of rewards) are identified and communicated; and, on the part of the individuals, the responsibilities related to Green IT are known, understood and taken on.

•
The members and stakeholders of the organization identify and communicate new Green IT needs: on the part of the organization, there is active communication; the opportunity to comment on the needs of Green IT, considering and evaluating the new proposals, is given to the members and stakeholders of the organization; and, on the part of the individuals, there is active participation in Green IT issues on behalf of the members and stakeholders of the organization; in this participation all the relevant needs related to Green IT are debated and commented on.

•
The members and stakeholders of the organization are receptive when identifying and managing new Green IT challenges: on the part of the organization, there is commitment, and all the innovations and new challenges in Green IT are tackled; and, on the part of the individuals, there is a positive position towards the innovations and new challenges in Green IT, and there is also active participation when new ideas and needs in Green IT are proposed.

•
The organization is committed to, and aligned with, Green IT: on the part of the organization, the board of directors and the executive management are committed to Green IT, through active cooperation in the Green IT management processes, and by maintaining and improving the integration of Green IT in the organization; and, on the part of the individuals, there is a high level of commitment to Green IT, with attempts to approach the issue positively, helping it to be integrated into the organization correctly.

•
The organization acknowledges the value brought to it by Green IT: on the part of the organization, the board of directors and the executive management recognize the value that Green IT provides to the organization with what concerns the benefits, reputation, competitive edge, etc., and they consider it essential for the proper functioning of the organization; and, on the part of the individuals, the value of Green IT for the organization is acknowledged, and ideas for generating new value or for increasing what already exists are provided.

Information
The specific information of Green IT is one of the basic pillars in the governance and management of this area, as thanks to this information the appropriate decisions on action for the correct implementation, operation and maintenance of Green IT can be taken.
It is very important that each organization tailors the needs and types of information to its own objectives and to the level of implementation and governance and management of Green IT that it has.However, in the "Governance and Management Framework for Green IT", the following types of information of Green IT are defined:

•
Policies and principles of Green IT: aim to serve as a guide to indicate the behavior that is desirable for the members of organization and stakeholders to produce with respect to Green IT.

•
Plan and strategy of Green IT: aim to produce an appropriate direction or road map for the organization in Green IT.

•
Requirements of Green IT: should be well-defined, thorough and realistic about the needs and/or interests of the organization and its stakeholders.

•
Budget of Green IT: aims to achieve appropriate financing for the program of Green IT and assure correct function of Green IT.

•
Awareness material of Green IT: aims to inform on the importance of Green IT, not only at an internal level in the organization, but also at an external level.

•
Review reports of Green IT: aim to detect possible faults, inconsistencies or deficiencies in every aspect that is related to Green IT in the organization, so that corrective measures can be taken.

•
Scorecard of Green IT: aims to provide the information needed for appropriate decisions to be taken and for correct management of Green IT in the organization to be carried out.

Services, Infrastructure and Applications
The services, infrastructure and applications that are specific to Green IT provide the basis on which the processes, activities and day-to-day operations of Green IT are carried out.
The "Governance and Management Framework for Green IT" points out that an organization must at the very least provide the aspects or characteristics necessary to carry out and maintain the following activities or services in relation to Green IT:

•
Architecture of Green IT: with the objectives of aligning the architecture of Green IT with the organizational architecture, managing and maintaining a correct architecture of Green IT, setting up and maintaining an inventory of assets of Green IT, and establishing and maintaining a discovery of the infrastructure of Green IT.

•
Awareness of, and training in, Green IT: with the objectives of establishing a system of communication and distribution of relevant information on Green IT, and managing the program of awareness and training and keeping it up-to-date.

•
Evaluations and tests of Green IT: with the objectives of carrying out evaluations and tests on the effectiveness and efficiency of Green IT, and providing a system of reports on the evaluations and tests of Green IT, with the appropriate information for management and decision-making.

People, Skills and Competences
The people, skills and competences that are specific to Green IT are the most important assets of this area, since it is people who will govern and manage everything related to Green IT.Consequently, these individuals must have the appropriate skills and competences in this respect.
As so, the "Governance and Management Framework for Green IT" defines the skills and competences that those who are responsible or belong to each area must have:

•
Governance of Green IT: the roles of this area should establish and maintain the framework and processes of the organization's Green IT, ensuring that the strategy of Green IT is aligned with the goals of Green IT and of the organization.

•
Strategy of Green IT: the roles in this area should define and implement the vision, mission and objectives of Green IT, always maintaining the alignment with the strategy and organizational culture.

•
Architecture of Green IT: the roles in this area should design, implement and monitor the architecture of Green IT, fitting it to the needs and capabilities of the organization.

•
Operations of Green IT: the roles of this area carry out the operations of implementation and management of the practices and processes of Green IT, ensuring that the program of Green IT is aligned with the strategy of Green IT that has been established.

•
Evaluation, tests and compliance of Green IT: the roles in this area should evaluate and ensure that the Green IT complies with the rules and regulations, as well as with the policies, principles, strategy, objectives, etc., defined by the organization in the area of Green IT.

Green IT Audits
The framework for auditing the Green IT that is defined in the "Governance and Management Framework for Green IT" is intended to guide the auditors of Green IT by setting out which assessment or audit phases should be followed, as well as by providing the questions to consider.
It should be said first of all that the evaluation phases of Green IT are based on the audit guide defined in COBIT 5 for Assurance [17].These phases and sub-phases, adapted to the Green IT, are as follows:

•
Determine scope of the assurance initiative of Green IT.
Determine the stakeholders of the assurance initiative and their stake.Determine the assurance objectives, considering the evaluation of the internal and external environment/context, along with the relevant risks and associated opportunities.Determine the enablers in the scope and their instances; in other words, determine the level of implementation of the enablers of Green IT and their characteristics and relevant aspects.
• Understand enablers of Green IT, set suitable assessment criteria and perform the assessment or audit of Green IT.
Understand and evaluate the principles, policies and frameworks that are specific to Green IT.Understand and evaluate the processes related to Green IT.Understand and evaluate the organizational structures that are specific to Green IT.Understand and evaluate the culture, ethics and behavior that are specific to Green IT.Understand and evaluate the information that is specific to Green IT.Understand and evaluate the services, infrastructure and applications that are specific to Green IT.Understand and evaluate the people, skills and competencies that are specific to Green IT.
• Communicate the results of the assessment of Green IT.
Document the exceptions and deficiencies found in the Green IT.
Communicate the work carried out, along with the findings.
Secondly, the audit questions defined for Green IT are based on the specific process enabler of Green IT, which analyzes all relevant aspects of the other governance and management enablers of Green IT (all defined in the "Governance and Management Framework for Green IT").
In this way, in total of 122 audit questions have been established, divided between the 15 processes of Green IT that have been established (which are in turn divided into the five governance and management domains that COBIT 5 identifies).As an example, Table 1 shows some of the Green IT audit questions defined in one of the management processes (MEA03).

MEA03. Monitor, evaluate and assess compliance with external requirements
Are the new legal, regulatory and contractual requirements that may affect the organization's Green IT continually identified, implemented and continually monitored?
Are the policies, principles, requirements, objectives and solutions of the organization's Green IT aligned with the legal, regulatory and contractual requirements that are applicable?
Is there assured conformance and compliance of the policies, principles, requirements, objectives and solutions of the organization's Green IT with the legal, regulatory and contractual requirements that are applicable?
As regards the data related to fulfillment of the external compliance requirements that are applicable to the organization's Green IT: are these obtained and verified?
Are corrective measures taken to align the organization's Green IT with the external compliance requirements?

Case Studies
Once the "Governance and Management Framework for Green IT" had been developed, it was necessary to validate it, seeking to verify that the characteristics defined within it are consistent and applicable in the real world.To this end, two case studies have been carried out, in which two IT centers were audited: an IT Research Institute and an IT Service Center.For reasons of confidentiality these are identified as RI (Research Institute) and SC (Service Center).To carry out these audits, a series of interviews have been conducted with the directors and IT managers of both centers.
Thanks to these practical cases, both centers have been offered a road map to follow in their implementation of Green IT; in addition, we have obtained an initial validation of the proposal put forward by the "Governance and Management Framework for Green IT".
In these validations, we have succeeded in strengthening the precision of the audit framework included in Section III of the "Governance and Management Framework for Green IT"; we have also established the applicability of the different governance and management characteristics of Green IT defined in Section II of the framework that has been developed.
The following sections describe the most relevant aspects with respect to each practical case along with the considerations on the validity of the results.

Research Institute
The RI is a center dedicated to research within the area of IT, as well as to the development of software (mainly) and hardware in this field.
As an initial step towards the adoption of Green IT, the RI decided to carry out a Green IT audit following the "Governance and Management Framework for Green IT"; the results of this audit were intended to serve as a general analysis about the current status and the desired status of Green IT in the organization to start the implementation of the Green IT in a structured and progressive way.
The results of the Green IT audit (Table 2) demonstrated the lack of involvement of the RI with Green IT.This was evident in the limited practices carried out until then, as well as in the low priority given to this area within the processes and daily operations of the center.

Yes Partially No
EDM01: Ensure governance framework setting and maintenance X EDM02: Ensure benefits delivery X EDM03: Ensure risk optimization X EDM04: Ensure resource optimization X EDM05: Ensure stakeholder transparency X APO01: Manage the IT management framework X APO02: Manage strategy X APO06: Manage budget and costs X APO08: Manage relationships X BAI02: Manage requirements definition X BAI03: Manage solutions identification and build X BAI09: Manage assets X DSS01: Manage operations X MEA01: Monitor, evaluate and assess performance and conformance X MEA03: Monitor, evaluate and assess compliance with external requirements X Yes: all Green IT audit questions related to this process have an affirmative answer (except those that are N/A); Partially: some Green IT audit questions related to this process have an affirmative answer while others have a negative answer (except those that are N/A); No: all Green IT audit questions related to this process have a negative answer (except those that are N/A).
From what concerns the "Governance and Management Framework for Green IT", this first case study served as an initial contact, by means of which we have been able to see the scope of the framework.It has also made it possible to refine, improve the wording and consolidate some aspects related to the enablers, as well as to demonstrate the validity of the audit phases and audit questions specific to Green IT that are established in the framework.
It should be added here that the RI has taken the "Governance and Management Framework for Green IT" as a guide for the adoption of Green IT in the organization.

Service Center
The SC is a center dedicated to the management of the IT services of a university with more than 30,000 students, distributed over several campuses.This center is committed to the environment, and has carried out some sustainable practices related to IT (Green IT practices), such as:

•
Implementation of cloud computing services.

•
Establishment of a corporate printing service, reducing the number of printing devices (deploying a corporate printing platform based on the use of shared printing equipment) and raising awareness of the need to save on printing issues, printing only what is necessary.
• Implementation of a service of withdrawal and subsequent recycling of electrical and electronic waste, i.e., all obsolete computer equipment.

•
Redesign of the data center, in order to improve energy and cooling efficiency.
With these Green IT practices implemented by the SC, relevant results have been obtained in reducing the negative environmental impact of the university; among these results it is important to highlight:

•
Reduction of 20% of the energy destined for the cooling of the data center (obtaining a PUE-Power Usage Effectiveness of 1.4).

•
Reduction of 52% of CO 2 emissions from university IT.

•
Withdrawal of more than 48 tons of obsolete computer equipment for later recycling.
Thanks to all this, it is estimated that the university has avoided the generation of 7261 kg of CO 2 and has achieved a saving of 2631 m 3 of water.
Until recently, the SC had been implementing all of these Green IT practices according to its own criteria and taking into account some examples of Green IT applied to the field of higher education established by EDUCAUSE [20].Therefore, once the existence of the "Governance and Management Framework for Green IT" was known, the SC decided to carry out an audit of Green IT, in order to identify and solve the existing gaps in the Green IT practices it was carrying out.
The results of the Green IT audit (Table 3) demonstrated the high level of engagement with Green IT on the part of the SC.However, the need to define and formalize certain non-existent characteristics related to the governance and management of this area was identified, in an attempt to establish a more consistent basis and guide for implementing new Green IT initiatives, as well as to govern and manage the current ones with greater efficiency and in a more correct way.Yes: all Green IT audit questions related to this process have an affirmative answer (except those that are N/A); Partially: some Green IT audit questions related to this process have an affirmative answer while others have a negative answer (except those that are N/A); No: all Green IT audit questions related to this process have a negative answer (except those that are N/A).
From what concerns the "Governance and Management Framework for Green IT", this second case has been of consistent validation, given that practices of Green IT are already currently implemented by the SC.Thanks to this, the validity of the framework we have developed has been further strengthened, and some points of improvement and future work have been identified (which are shown in Section 6).
For its part, the SC has taken the "Governance and Management Framework for Green IT" as a guide to further implement and improve Green IT within its business processes.

Threats to Validity
Regarding the four aspects of the validity defined by Runeson et al. [21], several considerations must be taken into account:

•
Construct validity: we have been very careful in order to interpret the constructs in the same way as the practitioners.We have also adopted the definitions about governance and management from a well-known framework (COBIT 5) that clearly defines all the constructs, so in this respect there are no discrepancies between the researcher and different practitioners.However, it is conspicuous that in the Green IT area some issues are not interpreted in the same way by the researcher and different practitioners and it is on these aspects that we have influenced more and we have defined and explained them in detail to avoid these discrepancies.

•
Internal validity: one of the most significant threats that may affect to the internal validity is the possibility that the audited organizations may have problems to carry out the audit or to make a progressive implementation of the framework (due to lack of time and/or resources, discrepancies or disputes with researchers, lack of support from senior management, etc.).To address this threat, we first made a formal presentation about the framework (to obtain the organization's commitment) and, subsequently, we conducted an analysis to the organization to determine if they have sufficient resources and time (as well as their level of interest) to carry out the audit and the implementation of the framework.Also, we have avoided having a single contact within the organizations, to avoid that the unavailability of a person affects the work and thus to have different people with whom to contact and to work.

•
External validity: in the second case study, we deal with a SC that is a center dedicated to the management of the IT services of a university, but in general all the SC or data processing centers have the same kind of infrastructures, stakeholders and problems.However, these variables could be very different for other kind of organizations that have different business objectives.Therefore, to mitigate this threat to validity it is necessary to carry out more case studies in different organizations in order to generalize the findings, and to refine the framework so that it could be truly generalized (for its application in different types of organizations).

•
Reliability: in order to reduce bias by the main researcher (the first author), the transcription of interviews and focus groups (data collection techniques defined at [22]) was conducted independently by the other authors.However, all the researchers belong to research groups that have closely collaborated so in the future we plan to prepare more detailed documentation in order to facilitate other researchers in applying and validating the framework.

Conclusions and Future Work
The mere existence of human beings on the planet has a negative effect on the environment.We are part of nature, so it is our responsibility to care of it and strengthen it, making an effort to minimize the harmful impact on the environment as much as possible, for the sake of future generations.
From this conviction with respect to the need to protect the environment, the idea of Green IT in the area of IT has come into being, seeking to bring the field of sustainability to the area of IT.Despite being in its early stages, Green IT is becoming an increasingly important and indispensable area in an increasingly sustainable and efficient world [23].
For their part, organizations around the world have discovered that respect for the environment is not only positive for the planet, but also for the basis of their business.That is why Green IT initiatives are gaining more and more ground within organizations [24], and the benefits they offer go far beyond the economic sphere [2,3].
It must be said, however, that until now, organizations have been applying these Green IT practices according to their own criteria.They therefore need guides that enable them to implement Green IT correctly, and in a standardized way.
This has led us to develop the "Governance and Management Framework for Green IT", which proposes a framework for defining and establishing the basis for governance and management of Green IT in an organization, as well as for carrying out audits of Green IT.This framework will undoubtedly greatly simplify the adoption of Green IT in organizations, and will in the very-near future take this vitally-important area forward, far beyond where it is at present.
In addition, in order to complement this framework, a multi-platform software application (called GreenITAudit) [25] has also been developed, aiming to help the auditors to carry out the or audit phase of Green IT, taking the developed framework as a basis.
It should be remembered that the "Governance and Management Framework for Green IT" is based on COBIT 5, from which the structure of enablers that it establishes has been taken as a guide.So far, there has been no specific framework for Green IT among the frameworks or professional guides of COBIT 5 that are specific to different areas of IT.Now, thanks to the "Governance and Management Framework for Green IT", this need is met, which means that the framework could take its place within the COBIT 5 product family, as shown in Figure 3.With regard to lines of future work, we believe that it is vital to continue work in this area, and to carry on developing and improving the "Governance and Management Framework for Green IT".As such, we are currently working on:

•
Include in the framework more processes in order to cover all organizational aspects related to Green IT, not as in the current version that only the most closely related and characteristic processes regarding Green IT have been taken into account in order to have an initial contact.

•
Separate the different activities specific to Green IT of the practices of each process between "Green by IT" and "Green in IT" to obtain a more detailed and specific vision and also to be able to carry out more specific audits.In this sense, we have separated the activities of the processes of the current version.By way of example, in the practice "APO06.02Prioritize resource allocation" of the process "APO06 Manage budget and costs" we have defined two practices: a first practice related to ensure that in the prioritization of resources of Green IT there is consideration of what the needs and capabilities of the organization and Green IT are (practice specific of Green by IT); and a second practice in relation to ensure that the resources of Green IT are taken into account in the prioritization of the general resources of the organization, and that those resources are given priority over other less important areas in the current context of the organization (practice specific of Green in IT).

•
Carrying out more case studies in larger organizations with greater involvement in the area of sustainability and, above all, Green IT.Through these practical cases our intention is to further refine and improve the "Governance and Management Framework for Green IT".

•
Application of the ISO 14000 family of standards within Green IT, in order to identify the parts that can be integrated into the "Governance and Management Framework for Green IT".This would mean that the framework can also guide organizations that are seeking to be certified in ISO 14001 [26].In addition, the framework that has been developed would be standardized as much as possible.

•
Analysis and inclusion within the "Governance and Management Framework for Green IT" of characteristics and best practices defined in other standards related to Green IT in specific sectors of IT, such as the standards developed by the International Telecommunication Union (ITU) [27- With regard to lines of future work, we believe that it is vital to continue work in this area, and to carry on developing and improving the "Governance and Management Framework for Green IT".As such, we are currently working on:

•
Include in the framework more processes in order to cover all organizational aspects related to Green IT, not as in the current version that only the most closely related and characteristic processes regarding Green IT have been taken into account in order to have an initial contact.

•
Separate the different activities specific to Green IT of the practices of each process between "Green by IT" and "Green in IT" to obtain a more detailed and specific vision and also to be able to carry out more specific audits.In this sense, we have separated the activities of the processes of the current version.By way of example, in the practice "APO06.02Prioritize resource allocation" of the process "APO06 Manage budget and costs" we have defined two practices: a first practice related to ensure that in the prioritization of resources of Green IT there is consideration of what the needs and capabilities of the organization and Green IT are (practice specific of Green by IT); and a second practice in relation to ensure that the resources of Green IT are taken into account in the prioritization of the general resources of the organization, and that those resources are given priority over other less important areas in the current context of the organization (practice specific of Green in IT).

•
Carrying out more case studies in larger organizations with greater involvement in the area of sustainability and, above all, Green IT.Through these practical cases our intention is to further refine and improve the "Governance and Management Framework for Green IT".

•
Application of the ISO 14000 family of standards within Green IT, in order to identify the parts that can be integrated into the "Governance and Management Framework for Green IT".This would mean that the framework can also guide organizations that are seeking to be certified in ISO 14001 [26].In addition, the framework that has been developed would be standardized as much as possible.

•
Analysis and inclusion within the "Governance and Management Framework for Green IT" of characteristics and best practices defined in other standards related to Green IT in specific sectors of IT, such as the standards developed by the International Telecommunication Union (ITU) [27][28][29][30][31].In this regard, it is important to highlight the importance of bringing sustainability to booming IT sectors such as Smart Cities, where organizations such as the ITU (through ITU-T Y.4903/L.1603standard [31]) and the ISO (with ISO 37120 standard [32]) are turning their efforts towards the objective of encouraging the development of services in the Smart Cities based on efficiency and sustainability.
There is still much to be done.Environmental protection is a continuous and constant task for all of us, and the future of mankind depends on achieving sustainable development in all areas.

•
Governance: formed by one domain (Evaluate, Direct and Monitor (EDM)), which contains five processes.Within these, practices of evaluation, direction and monitoring specific to the area of governance of an organization are defined.• Management: contains four domains, which reflect the areas of Plan, Build, Run and Monitor (PBRM): o Align, Plan and Organize (APO): 13 processes.o Build, Acquire and Implement (BAI): 10 processes.o Deliver, Service and Support (DSS): 6 processes.o Monitor, Evaluate and Assess (MEA): 3 processes.

Figure 3 .
Figure 3. "Governance and Management Framework for Green IT" in COBIT 5 product family.

Figure 3 .
Figure 3. "Governance and Management Framework for Green IT" in COBIT 5 product family.

Table 2 .
Results of compliance with Green IT processes in the Research Institute (RI).

•
Acquisition of IT equipment that conforms to internationally recognized sustainability standards, such as UE Energy Star v5, ISO 14001 o ISO 779/9296.

Table 3 .
Results of compliance with Green IT processes in the Service Center (SC).