Implementing COBIT for Effective Information Technology Compliance

Implementing COBIT for Effective IT Compliance

of 12

Contents

1. INTRODUCTION TO COBIT ..............................................................................1

2. COBIT .............................................................................................................3

2.1 COBIT STRUCTURE ........................................................................................... 3 2.2 COBIT DOMAIN AND PROCESS STRUCTURE............................................................... 4 2.3 INFORMATION MEASUREMENT CRITERIA ................................................................... 6 2.4 PROCESS GOALS AND METRICS ............................................................................. 7 2.5 GENERIC PROCESS CONTROLS............................................................................... 8 2.6 GENERIC APPLICATION CONTROLS .......................................................................... 9 2.7 PROCESS MATURITY MODEL ................................................................................. 9

3. COBIT AND OTHER GOVERNANCE FRAMEWORKS ..........................................10

4. LINKS ...........................................................................................................11

1. Introduction to COBIT

This article is intended to be a brief introduction to the Control Objectives for

Information and related Technology (COBIT). COBIT is a substantial topic. The

links at the end of this article will provide a starting point for more information.

COBIT fits into the increasingly crowded landscape of corporate governance,

regulation and compliance rules and standards: Sarbanes-Oxley, BASEL II, ISO

17799/ BS 7799, Know Your Customer/Anti-Money Laundering, SEC Rule 17a-4/

NASD Rule 3010/3110, ITIL, Stability II, Data Protection Act, EU Directive 95/46,

Gramm-Leach-Bliley Act, COSO and many others.

IT is impacted by these requirements as IT drives the business process and

manages the information that such governance seeks to control. IT is at the core

of most complex businesses. IT is required to manage itself more effectively and

reliably in order respond to these requirements.

There are two aspects to IT controls:

1. IT must implement internal controls around how it operates

2. The systems IT delivers to the business and the underlying business

processes these systems actualise must be controlled – these are controls

external to IT

COBIT aims to be different from these other governance approaches in two

ways:

1. It is an IT governance framework and supporting set of tools that IT can use

to bridge the gap between control requirements, technical issues and business

risks.

2. It provides a detailed implementation structure and toolset that translates the

framework theory into a practical and achievable deliverables.


of 12

Like all governance standards and methodologies, their implementation can be

long and painful. Implementation of and adherence to these compliance

standards can seem to represent wasted effort as it does not add value to the

business. COBIT removes at least some of the pain and reducing the execution

time by going some way towards translating general principles to realisable

specifics.

Because COBIT has a detailed implementation framework, the project to

implement it and the associated time and cost can be defined more exactly.

The framework can be customised to suit the requirements of the organisation.

COBIT has a broad coverage and a business focus. It seeks to ensure that IT

delivers what the business needs. COBIT focuses on the “what” rather than on

the “how”. It is a control and management framework, linking IT practices to

business requirements.

COBIT is based on the principle that to provide the information that the

enterprise requires to achieve its objectives, the enterprise needs to manage and

control IT resources using a structured set of processes to deliver the required

information services.

The implementation of COBIT seeks to deliver real benefits:

• Better IT to business alignment built on a business focus

• Management view of what IT does

• Clear ownership and responsibilities, based on process orientation

• General acceptability with third parties and regulators

• Shared understanding amongst all stakeholders, based on a common

language

• Fulfilment of the governance requirements for the IT control environment

The remainder of this article refers to COBIT V4.0, the latest version.


of 12

Figure 1 - Underlying COBIT Principle

2. COBIT

2.1 COBIT Structure

Schematically, the structure of the components of COBIT and their relationship is

represented as:

Figure 2 - COBIT Components and Relationships


of 12

COBIT provides a framework and an associated toolset that allow IT implement

controls and address technical issues and business risks and communicate that

level of control to IT business stakeholders. By providing a toolset COBIT enables

the development of policy and practice for IT control throughout the enterprise.

COBIT is integrated with other standards and thus can become an umbrella

framework for IT governance. It assists in understanding and managing the risks

and benefits associated with IT. The process structure of COBIT and its business-

oriented approach provides an end-to-end view of IT.

2.2 COBIT Domain and Process Structure

The COBIT process model of four domains contains (currently) 34 template

processes that manage the IT resources to deliver information to the business

according to business and governance requirements. Each of the processes

contains a set of objectives.

Figure 3 - COBIT Hierarchy

When implemented, the processes can be regarded as an engine to deliver

information and fulfil objectives.


of 12

Figure 4 - COBIT Process Domains and The Delivery of Information to Meet

Objectives

The four COBIT domains and their constituent template processes are:

Plan and

Organise (PO)

Acquire and

Implement (AI)

Deliver and

Support (DS)

Monitor and

Evaluate (ME)

PO1 Define a

strategic IT plan

AI1 Identify

automated

solutions

DS1 Define and

manage service

levels

ME1 Monitor and

evaluate IT

performance

PO2 Define the

information

architecture

AI2 Acquire and

maintain

application

software

DS2 Manage third-

party services

ME2 Monitor and

evaluate internal

control

PO3 Determine

technological

direction

AI3 Acquire and

maintain

technology

infrastructure

DS3 Manage

performance and

capacity

ME3 Ensure

regulatory

compliance

PO4 Define the IT

processes,

organisation and

relationships

AI4 Enable

operation and use

DS4 Ensure

continuous service

ME4 Provide IT

governance

PO5 Manage the IT

investment

AI5 Procure IT

resources

DS5 Ensure

systems security

PO6 Communicate

management aims

and direction

AI6 Manage

changes

DS6 Identify and

allocate costs

PO7 Manage IT

human resources

AI7 Install and

accredit solutions

and changes

DS7 Educate and

train users

PO8 Manage

quality

DS8 Manage

service desk and

incidents


of 12

PO9 Assess and

manage IT risks

DS9 Manage the

configuration

PO10 Manage

projects

DS10 Manage

problems

DS11 Manage data

DS12 Manage the

physical

environment

DS13 Manage

operations

Table 1 - COBIT Processes and Detailed Controls

The implementation of these COBIT processes within the toolset is divided into

four parts:

1. High-level control objective – this is a process summary identifying business

requirement being satisfied, focus, achievement and measurement principles

2. Detailed process-specific control objectives

3. Process inputs and outputs, responsibilities, goals and metrics.

4. Process maturity model

Each of these processes consists of a number of specific control objectives. For

example, the process PO1 Define a strategic IT plan consists of the following

control objectives:

• PO1.1 IT Value Management

• PO1.2 Business-IT Alignment

• PO1.3 Assessment of Current Performance

• PO1.4 IT Strategic Plan

• PO1.5 IT Tactical Plans

• PO1.6 IT Portfolio Management

In all there are currently 215 specific detailed control objectives across the 34

processes.

Again it is COBIT’s execution-oriented template approach and structure makes it

useful and implementable.

2.3 Information Measurement Criteria

COBIT defines seven criteria measure how the information delivered by the 34

processes meets business objectives.

Effectiveness

Deals with information being relevant and pertinent to the

business process as well as being delivered in a timely,

correct, consistent and usable manner

Efficiency Concerned with the provision of the information through the

optimal use of resources

Confidentiality Concerned with the protection of sensitive information from


of 12

unauthorized disclosure

Integrity

Relates to the accuracy and completeness of information as

well as to its validity in accordance with business values and

expectations

Availability Relates to the information being available when required by

the business process now and in the future

Compliance Deals with complying with laws, regulations and contractual

arrangements

Reliability Relates to the provision of appropriate information for the

workforce of the organization

Table 2 - COBIT Information Measurement Criteria

2.4 Process Goals and Metrics

Each process has three sets of goals measured by corresponding sets of metrics:

Goal Metric

Activity Goals Key Performance Indicators

Process Goals Process Key Goal Indicators

IT Goals IT Key Goal Indicators

Table 3 - Process Goals and Metrics

For example, the goals and metrics for the process PO1 Define a strategic IT

plan are:

Activity Goals Process Goals IT Goals

• Engaging with business

and senior

management in

aligning IT strategic

planning with current

and future business

needs

• Understanding current

IT capabilities

• Translating IT strategic

planning into tactical

plans

• Providing for a

prioritisation scheme

for the business

objectives that

quantifies the business

requirements

• Define how business

requirements are

translated in service

offerings.

• Define the strategy to

deliver service

offerings.

• Contribute to the

management of the

portfolio of IT-enabled

business investments.

• Establish clarity of

business impact of risks

to IT objectives and

resources.

• Provide transparency

and understanding of

IT costs, benefits,

strategy, policies and

service levels.

• Respond to business

requirements in

alignment with the

business strategy.

• Respond to governance

requirements in line

with board direction.

Key Performance Process Key Goal IT Key Goal Indicators


of 12

Indicators Indicators

• Delay between updates

of business

strategic/tactical plan

and updates of IT

strategic/tactical plan

• % of strategic/tactical

IT plan meetings where

business

representatives have

actively participated

• Delay between updates

of IT strategic plan and

updates of IT tactical

plans

• % of tactical IT plans

complying with the

• Predefined

structure/contents of

those plans

• % of IT

initiatives/projects

championed by

business owners

• % of IT objectives in

the IT strategic plan

that support the

strategic business plan

• % of IT initiatives in

the IT tactical plan that

support the tactical

business plan

• % of IT projects in the

IT project portfolio that

can be directly traced

back to the IT tactical

plan

• Degree of approval of

business owners of the

IT strategic/tactical

plans

• Degree of compliance

with business and

governance

requirements

• Level of satisfaction of

the business with the

current state (number,

scope, etc.) of the

project and applications

portfolio

Table 4 - Detailed goals and metrics for sample process PO1 Define a strategic

IT plan

2.5 Generic Process Controls

In addition to the process-specific control objectives, COBIT includes a set of

generic process controls that are applied to all processes:

Control Description

PC1 Process Owner Assign an owner for each COBIT process such

that responsibility is clear.

PC2 Repeatability Define each COBIT process such that it is

repeatable.

PC3 Goals and Objectives Establish clear goals and objectives for each

COBIT process for effective execution.

PC4 Roles and

Responsibilities

Define unambiguous roles, activities and

responsibilities for each COBIT process for

efficient execution.

PC5 Process Performance Measure the performance of each COBIT process

against its goals.

PC6 Policy, Plans and

Procedures

Document, review, keep up to date, sign off on

and communicate to all involved parties any

policy, plan or procedure that drives a COBIT

process.


of 12

Table 5 - COBIT Generic Detailed Process Controls

2.6 Generic Application Controls

As with the generic process controls described above, COBIT includes a set of

generic application controls that are applied to all processes:

Application Control Group Application Control Details

Data

Origination/Authorisation

Controls

AC1 Data Preparation Procedures

AC2 Source Document Authorisation Procedures

AC3 Source Document Data Collection

AC4 Source Document Error Handling

AC5 Source Document Retention

Data Input Controls

AC6 Data Input Authorisation Procedures

AC7 Accuracy, Completeness and Authorisation

Checks

AC8 Data Input Error Handling

Data Processing Controls

AC9 Data Processing Integrity

AC10 Data Processing Validation and Editing

AC11 Data Processing Error Handling

Data Output Controls

AC12 Output Handling and Retention

AC13 Output Distribution

AC14 Output Balancing and Reconciliation

AC15 Output Review and Error Handling

AC16 Security Provision for Output Reports

Boundary Controls

AC17 Authenticity and Integrity

AC18 Protection of Sensitive Information During

Transmission and Transport

Table 6 - COBIT Detailed Application Controls

2.7 Process Maturity Model

The implementation of each process is measured on a maturity scale from 0

meaning non-existent to 5 denoting optimised:


of 12

Figure 5 - Process Maturity Measurement

There is a separate specific maturity model for each of COBIT’s 34 IT processes.

The organisation can evaluate its maturity in its management and control over IT

processes. The maturity scale of 0-5 and associated score is not intended to be

precise. The objective is to identify where issues are and to set priorities for

improvements.

Using this, management can identify the current performance of the enterprise

and the enterprise’s target for improvement.

3. COBIT and Other Governance Frameworks

Implementing COBIT will assist in compliance with other major standards such as

COSO and Sarbanes-Oxley:

Figure 6 - COBIT, COSO and SOX

Because COBIT contains a detailed implementation toolset, it can be used to

provide a framework for implementing other standards. Implementing COBIT can

subsume compliance with many other standards. The following maps other

standards to COBIT in terms of:

• Level of Detail - How detailed are the guidelines in terms of technical or

operational depth.


of 12

• Completeness - How much of COBIT is addressed with the standard, what

is more comprehensively addressed than in COBIT and what is absent

compared to COBIT

Figure 7 - Comparison of COBIT and Other Standards

4. Links

These are some links relating to COBIT where you can find more information.

Link Description

http://www.isaca.org/ Information Systems Audit and Control

Association – co-owner of COBIT

http://www.isaca.org/cobit COBIT Home

http://cobitcampus.isaca.org COBIT Education

http://www.itgi.org/ IT Governance Institute – co-owner of COBIT

http://www.coso.org/ Committee of Sponsoring Organizations of the

Treadway Commission

http://it.safemode.org/ COBIT open initiative

http://www.sox-

online.com/coso_cobit.html

SOX COSO and COBIT Centre

http://www.ogc.gov.uk/index

.asp?id=2261

IT Infrastructure Library home


of 12

http://www.controlit.org/ Support Group for COBIT Users containing COBIT

forums and information

Table 7 - Web Links for More Information

Implementing COBIT for Effective Information Technology Compliance

Documents

Transcript of Implementing COBIT for Effective Information Technology Compliance