KC 9.2.3 - CobiT Model

The Control Objectives for Information and related Technology (COBIT) is a framework for information (IT) management risks created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). Control Objectives for Information and related Technology, or COBIT, provides managers, auditors, and IT users with a set of generally accepted information technology control objectives to assist them in maximizing the benefits derived through the use of information technology and developing the appropriate IT governance and control in a company. In its 3rd edition, COBIT has 34 high level objectives that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.

It comprises six elements: management guidelines, control objectives, COBIT framework, executive summary, audit guidelines and an implementation toolset. All are documented in separate volumes.

It was developed by the IT Governance Institute and the Information Systems Audit and Control Foundation in 1992 when the control objectives relevant to information technology were first identified. The first edition was published in 1996; the second edition in 1998; the third edition in 2000, and the on-line edition became available in 2003. It has more recently found favour due to external developments, especially the Enron scandal and the subsequent passage of the Sarbanes-Oxley Act.

The COBIT mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

COBIT Product Family

The complete COBIT package is a set consisting of six publications:

  • Executive Summary
  • Framework
  • Control Objectives
  • Audit Guidelines
  • Implementation Tool Set
  • Management Guidelines

A brief overview of each of the above components is provided below.

Executive Summary

Sound business decisions are based on timely, relevant and concise information. Specifically designed for time pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT's four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, Monitoring) and 34 IT processes.

Framework

A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criterion (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, technology, facilities and data) are important for the IT processes to fully support the business objective.

Control Objectives

The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 318 specific, detailed control objectives throughout the 34 IT processes.

Audit Guidelines

Analyze, assess, interpret, react, implement. To achieve your desired goals and objectives you must constantly and consistently audit your procedures. Audit Guidelines outlines and suggests actual activities to be performed corresponding to each of the 34 high-level IT control objectives, while substantiating the risk of control objectives not being met. Audit Guidelines is an invaluable tool for information systems auditors in providing management assurance and/or advice for improvement.

Implementation Tool Set

An Implementation Tool Set, which contains Management Awareness and IT Control Diagnostics, and Implementation Guide, FAQs, case studies from organizations currently using COBIT, and slide presentations that can be used to introduce COBIT into organizations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organizations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well performed? Who does it and who is accountable? Are the processes and control formalized?

Management Guidelines

To ensure a successful enterprise, you must effectively manage the effective union between business processes and information systems. The new Management Guidelines is composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.

COBIT Structure

COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them if the applications that aid in the gathering, processing, and reporting of information complies with COBIT since it implies controls and security are in place to govern the processes. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.

COBIT covers four domains:

  • Planning and Organization
  • Acquisition and Implementation
  • Delivery and Support
  • Monitoring

Planning and Organization

The Planning and Organization domain covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.

HIGH LEVEL CONTROL OBJECTIVES

Planning and Organization

PO1

Define a Strategic IT Plan

PO2

Define the Information Architecture

PO3

Determine Technological Direction

PO4

Define the IT Organization and Relationships

PO5

Manage the IT Investment

PO6

Communicate Management Aims and Direction

PO7

Manage Human Resources

PO8

Ensure Compliance with External Requirements

PO9

Assess Risks

PO10

Manage Projects

PO11

Manage Quality

Acquisition and Implementation

The Acquisition and Implementation domain addresses the company’s strategy in identifying its IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.

HIGH LEVEL CONTROL OBJECTIVES

Acquisition and Implementation

AI1

Identify Automated Solutions

AI2

Acquire and Maintain Application Software

AI3

Acquire and Maintain Technology Infrastructure

AI4

Develop and Maintain Procedures

AI5

Install and Accredit Systems

AI6

Manage Changes

Delivery and Support

The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.

HIGH LEVEL CONTROL OBJECTIVES

Delivery and Support

DS1

Define and Manage Service Levels

DS2

Manage Third-Party Services

DS3

Manage Performance and Capacity

DS4

Ensure Continuous Service

DS5

Ensure Systems Security

DS6

Identify and Allocate Costs

DS7

Educate and Train Users

DS8

Assist and Advise Customers

DS9

Manage the Configuration

DS10

Manage Problems and Incidents

DS11

Manage Data

DS12

Manage Facilities

DS13

Manage Operations

Monitoring

The Monitoring domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.

HIGH LEVEL CONTROL OBJECTIVES

Monitoring

M1

Monitor the Processes

M2

Assess Internal Control Adequacy

M3

Obtain Independent Assurance

M4

Provide for Independent Audit


0 Comments:

Post a Comment

<< Home