Control Objectives For Information And Related Technology, “COBIT”

Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

Overview

COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

COBIT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT as it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT’s defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.

Recently, ISACA has released Val IT, which correlates the COBIT processes to senior management processes required to get good value from IT investments

COBIT product family (version 4.0)

The complete COBIT package consists of:

  • Executive Summary
  • Governance and Control Framework
  • Control Objectives
  • Management Guidelines
  • Implementation Guide
  • IT Assurance Guide

Executive summary

Sound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT’s key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT’s four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, Monitoring and Evaluation) and the 34 IT processes.

Framework

A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven Information Criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, information and infrastructure) are important for the IT processes to fully support business.

Control Objectives

The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT’s Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 210 specific and detailed control objectives throughout the 34 high-level IT processes.

Management Guidelines

To ensure a successful enterprise, you must effectively manage the union between business processes and information systems. The new Management Guidelines are composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.

IT Assurance Guide

To be certain that the control objectives are being achieved, there is an implicit need to assess the controls linked to them. The Assurance Guide provides the tools to assess the controls in every form needed, from their design to the results. The guide also allows for the assurance initiative planning and scoping in a standardized, repeatable way so that the business and IT can be assessed under a single framework, completely compatible with ISACA’s ITAF. There is a misunderstanding that the Assurance Guide is the successor to the Audit Guidelines. The truth is, however, that it is a completely new book, based on the Control Practices. The Audit Guidelines is not part of CobiT anymore, as the Assurance Guide is not part of the book, but a related publication.

COBIT structure

COBIT covers four domains:

  • Plan and Organize
  • Acquire and Implement
  • Deliver and Support
  • Monitor and Evaluate

Plan and Organize

The Plan and Organize domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the IT processes contained in the Planning and Organization domain.

IT PROCESSES Plan and Organize

PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

Acquire and Implement

The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the IT processes contained in the Acquire and Implement domain.

IT PROCESSES Acquire and Implement

AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Deliver and Support

The Deliver and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results as well as the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the IT processes contained in the Deliver and Support domain.

IT PROCESSES Deliver and Support

DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Monitor and Evaluate

The Monitor and Evaluate domain deals with a company’s strategy in assessing the needs of the company and whether or not the current system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the IT processes contained in the Monitor and Evaluate domain.

IT PROCESSES Monitor and Evaluate

ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

COBIT and other standards

COBIT, Val IT and Risk IT

Building on the success of COBIT, and focusing on key IT governance areas of value delivery and risk management, ISACA developed two additional IT governance frameworks, Val IT™ and Risk IT. These frameworks are closely aligned with and complement COBIT, but deliver value to enterprises in their own right. While COBIT ensures that IT is working as effectively as possible to maximize the benefits of technology investment, Val IT helps enterprises make better decisions about where to invest, ensuring that the investment is consistent with the business strategy. And while COBIT provides a set of controls to mitigate IT risk in IT processes, Risk IT provides a framework for enterprise to identify, govern and manage IT-related risks.

COBIT and ISO/IEC 27002:2007

COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 27002:2007 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area while ISO/IEC 27002 is deeply focused in the area of security.

The table below describes the inter-relation of the two standards as well as how ISO/IEC 27002 can be integrated with COBIT.

COBIT DOMAIN 1 2 3 4 5 6 7 8 9 10 11 12 13
Plan and Organize - + - - + + + + - - 0 . .
Acquire and Implement + 0 0 - 0 + . . . . . . .
Deliver and Support - + 0 + + . + 0 0 0 + 0 0
Monitor and Evaluate - 0 - 0 . . . . . . . . .

(+) Good match (more than two ISO/IEC 27002:2007 objectives were mapped to a COBIT process) (0) Partly match (one or two ISO/IEC 27002:2007 objectives were mapped to a COBIT process) (-) No or minor match (no ISO/IEC 27002:2007 objective was mapped to a COBIT process) (.) Does not exist

COBIT and Sarbanes Oxley

Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Internal Control – Integrated Framework.” In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.

COSO Internal Control – Integrated Framework states that internal control is a process — established by an entity’s board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains.

COBIT and other international standards

For more international standards, see ISACA CobiT Mappings. COBIT is also addressed by the Information Security Forum in its Standard of Good Practice and other documents.

From Wikipedia, the free encyclopedia

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s