Implementing COBIT for Effective Information Technology Compliance
-
Upload
alan-mcsweeney -
Category
Documents
-
view
1.000 -
download
5
Transcript of Implementing COBIT for Effective Information Technology Compliance
Implementing COBIT for Effective IT Compliance
Page 1 of 12
Contents
1. INTRODUCTION TO COBIT ..............................................................................1
2. COBIT .............................................................................................................3
2.1 COBIT STRUCTURE ........................................................................................... 3 2.2 COBIT DOMAIN AND PROCESS STRUCTURE............................................................... 4 2.3 INFORMATION MEASUREMENT CRITERIA ................................................................... 6 2.4 PROCESS GOALS AND METRICS ............................................................................. 7 2.5 GENERIC PROCESS CONTROLS............................................................................... 8 2.6 GENERIC APPLICATION CONTROLS .......................................................................... 9 2.7 PROCESS MATURITY MODEL ................................................................................. 9
3. COBIT AND OTHER GOVERNANCE FRAMEWORKS ..........................................10
4. LINKS ...........................................................................................................11
1. Introduction to COBIT
This article is intended to be a brief introduction to the Control Objectives for
Information and related Technology (COBIT). COBIT is a substantial topic. The
links at the end of this article will provide a starting point for more information.
COBIT fits into the increasingly crowded landscape of corporate governance,
regulation and compliance rules and standards: Sarbanes-Oxley, BASEL II, ISO
17799/ BS 7799, Know Your Customer/Anti-Money Laundering, SEC Rule 17a-4/
NASD Rule 3010/3110, ITIL, Stability II, Data Protection Act, EU Directive 95/46,
Gramm-Leach-Bliley Act, COSO and many others.
IT is impacted by these requirements as IT drives the business process and
manages the information that such governance seeks to control. IT is at the core
of most complex businesses. IT is required to manage itself more effectively and
reliably in order respond to these requirements.
There are two aspects to IT controls:
1. IT must implement internal controls around how it operates
2. The systems IT delivers to the business and the underlying business
processes these systems actualise must be controlled – these are controls
external to IT
COBIT aims to be different from these other governance approaches in two
ways:
1. It is an IT governance framework and supporting set of tools that IT can use
to bridge the gap between control requirements, technical issues and business
risks.
2. It provides a detailed implementation structure and toolset that translates the
framework theory into a practical and achievable deliverables.
Implementing COBIT for Effective IT Compliance
Page 2 of 12
Like all governance standards and methodologies, their implementation can be
long and painful. Implementation of and adherence to these compliance
standards can seem to represent wasted effort as it does not add value to the
business. COBIT removes at least some of the pain and reducing the execution
time by going some way towards translating general principles to realisable
specifics.
Because COBIT has a detailed implementation framework, the project to
implement it and the associated time and cost can be defined more exactly.
The framework can be customised to suit the requirements of the organisation.
COBIT has a broad coverage and a business focus. It seeks to ensure that IT
delivers what the business needs. COBIT focuses on the “what” rather than on
the “how”. It is a control and management framework, linking IT practices to
business requirements.
COBIT is based on the principle that to provide the information that the
enterprise requires to achieve its objectives, the enterprise needs to manage and
control IT resources using a structured set of processes to deliver the required
information services.
The implementation of COBIT seeks to deliver real benefits:
• Better IT to business alignment built on a business focus
• Management view of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common
language
• Fulfilment of the governance requirements for the IT control environment
The remainder of this article refers to COBIT V4.0, the latest version.
Implementing COBIT for Effective IT Compliance
Page 3 of 12
Figure 1 - Underlying COBIT Principle
2. COBIT
2.1 COBIT Structure
Schematically, the structure of the components of COBIT and their relationship is
represented as:
Figure 2 - COBIT Components and Relationships
Implementing COBIT for Effective IT Compliance
Page 4 of 12
COBIT provides a framework and an associated toolset that allow IT implement
controls and address technical issues and business risks and communicate that
level of control to IT business stakeholders. By providing a toolset COBIT enables
the development of policy and practice for IT control throughout the enterprise.
COBIT is integrated with other standards and thus can become an umbrella
framework for IT governance. It assists in understanding and managing the risks
and benefits associated with IT. The process structure of COBIT and its business-
oriented approach provides an end-to-end view of IT.
2.2 COBIT Domain and Process Structure
The COBIT process model of four domains contains (currently) 34 template
processes that manage the IT resources to deliver information to the business
according to business and governance requirements. Each of the processes
contains a set of objectives.
Figure 3 - COBIT Hierarchy
When implemented, the processes can be regarded as an engine to deliver
information and fulfil objectives.
Implementing COBIT for Effective IT Compliance
Page 5 of 12
Figure 4 - COBIT Process Domains and The Delivery of Information to Meet
Objectives
The four COBIT domains and their constituent template processes are:
Plan and
Organise (PO)
Acquire and
Implement (AI)
Deliver and
Support (DS)
Monitor and
Evaluate (ME)
PO1 Define a
strategic IT plan
AI1 Identify
automated
solutions
DS1 Define and
manage service
levels
ME1 Monitor and
evaluate IT
performance
PO2 Define the
information
architecture
AI2 Acquire and
maintain
application
software
DS2 Manage third-
party services
ME2 Monitor and
evaluate internal
control
PO3 Determine
technological
direction
AI3 Acquire and
maintain
technology
infrastructure
DS3 Manage
performance and
capacity
ME3 Ensure
regulatory
compliance
PO4 Define the IT
processes,
organisation and
relationships
AI4 Enable
operation and use
DS4 Ensure
continuous service
ME4 Provide IT
governance
PO5 Manage the IT
investment
AI5 Procure IT
resources
DS5 Ensure
systems security
PO6 Communicate
management aims
and direction
AI6 Manage
changes
DS6 Identify and
allocate costs
PO7 Manage IT
human resources
AI7 Install and
accredit solutions
and changes
DS7 Educate and
train users
PO8 Manage
quality
DS8 Manage
service desk and
incidents
Implementing COBIT for Effective IT Compliance
Page 6 of 12
PO9 Assess and
manage IT risks
DS9 Manage the
configuration
PO10 Manage
projects
DS10 Manage
problems
DS11 Manage data
DS12 Manage the
physical
environment
DS13 Manage
operations
Table 1 - COBIT Processes and Detailed Controls
The implementation of these COBIT processes within the toolset is divided into
four parts:
1. High-level control objective – this is a process summary identifying business
requirement being satisfied, focus, achievement and measurement principles
2. Detailed process-specific control objectives
3. Process inputs and outputs, responsibilities, goals and metrics.
4. Process maturity model
Each of these processes consists of a number of specific control objectives. For
example, the process PO1 Define a strategic IT plan consists of the following
control objectives:
• PO1.1 IT Value Management
• PO1.2 Business-IT Alignment
• PO1.3 Assessment of Current Performance
• PO1.4 IT Strategic Plan
• PO1.5 IT Tactical Plans
• PO1.6 IT Portfolio Management
In all there are currently 215 specific detailed control objectives across the 34
processes.
Again it is COBIT’s execution-oriented template approach and structure makes it
useful and implementable.
2.3 Information Measurement Criteria
COBIT defines seven criteria measure how the information delivered by the 34
processes meets business objectives.
Effectiveness
Deals with information being relevant and pertinent to the
business process as well as being delivered in a timely,
correct, consistent and usable manner
Efficiency Concerned with the provision of the information through the
optimal use of resources
Confidentiality Concerned with the protection of sensitive information from
Implementing COBIT for Effective IT Compliance
Page 7 of 12
unauthorized disclosure
Integrity
Relates to the accuracy and completeness of information as
well as to its validity in accordance with business values and
expectations
Availability Relates to the information being available when required by
the business process now and in the future
Compliance Deals with complying with laws, regulations and contractual
arrangements
Reliability Relates to the provision of appropriate information for the
workforce of the organization
Table 2 - COBIT Information Measurement Criteria
2.4 Process Goals and Metrics
Each process has three sets of goals measured by corresponding sets of metrics:
Goal Metric
Activity Goals Key Performance Indicators
Process Goals Process Key Goal Indicators
IT Goals IT Key Goal Indicators
Table 3 - Process Goals and Metrics
For example, the goals and metrics for the process PO1 Define a strategic IT
plan are:
Activity Goals Process Goals IT Goals
• Engaging with business
and senior
management in
aligning IT strategic
planning with current
and future business
needs
• Understanding current
IT capabilities
• Translating IT strategic
planning into tactical
plans
• Providing for a
prioritisation scheme
for the business
objectives that
quantifies the business
requirements
• Define how business
requirements are
translated in service
offerings.
• Define the strategy to
deliver service
offerings.
• Contribute to the
management of the
portfolio of IT-enabled
business investments.
• Establish clarity of
business impact of risks
to IT objectives and
resources.
• Provide transparency
and understanding of
IT costs, benefits,
strategy, policies and
service levels.
• Respond to business
requirements in
alignment with the
business strategy.
• Respond to governance
requirements in line
with board direction.
Key Performance Process Key Goal IT Key Goal Indicators
Implementing COBIT for Effective IT Compliance
Page 8 of 12
Indicators Indicators
• Delay between updates
of business
strategic/tactical plan
and updates of IT
strategic/tactical plan
• % of strategic/tactical
IT plan meetings where
business
representatives have
actively participated
• Delay between updates
of IT strategic plan and
updates of IT tactical
plans
• % of tactical IT plans
complying with the
• Predefined
structure/contents of
those plans
• % of IT
initiatives/projects
championed by
business owners
• % of IT objectives in
the IT strategic plan
that support the
strategic business plan
• % of IT initiatives in
the IT tactical plan that
support the tactical
business plan
• % of IT projects in the
IT project portfolio that
can be directly traced
back to the IT tactical
plan
• Degree of approval of
business owners of the
IT strategic/tactical
plans
• Degree of compliance
with business and
governance
requirements
• Level of satisfaction of
the business with the
current state (number,
scope, etc.) of the
project and applications
portfolio
Table 4 - Detailed goals and metrics for sample process PO1 Define a strategic
IT plan
2.5 Generic Process Controls
In addition to the process-specific control objectives, COBIT includes a set of
generic process controls that are applied to all processes:
Control Description
PC1 Process Owner Assign an owner for each COBIT process such
that responsibility is clear.
PC2 Repeatability Define each COBIT process such that it is
repeatable.
PC3 Goals and Objectives Establish clear goals and objectives for each
COBIT process for effective execution.
PC4 Roles and
Responsibilities
Define unambiguous roles, activities and
responsibilities for each COBIT process for
efficient execution.
PC5 Process Performance Measure the performance of each COBIT process
against its goals.
PC6 Policy, Plans and
Procedures
Document, review, keep up to date, sign off on
and communicate to all involved parties any
policy, plan or procedure that drives a COBIT
process.
Implementing COBIT for Effective IT Compliance
Page 9 of 12
Table 5 - COBIT Generic Detailed Process Controls
2.6 Generic Application Controls
As with the generic process controls described above, COBIT includes a set of
generic application controls that are applied to all processes:
Application Control Group Application Control Details
Data
Origination/Authorisation
Controls
AC1 Data Preparation Procedures
AC2 Source Document Authorisation Procedures
AC3 Source Document Data Collection
AC4 Source Document Error Handling
AC5 Source Document Retention
Data Input Controls
AC6 Data Input Authorisation Procedures
AC7 Accuracy, Completeness and Authorisation
Checks
AC8 Data Input Error Handling
Data Processing Controls
AC9 Data Processing Integrity
AC10 Data Processing Validation and Editing
AC11 Data Processing Error Handling
Data Output Controls
AC12 Output Handling and Retention
AC13 Output Distribution
AC14 Output Balancing and Reconciliation
AC15 Output Review and Error Handling
AC16 Security Provision for Output Reports
Boundary Controls
AC17 Authenticity and Integrity
AC18 Protection of Sensitive Information During
Transmission and Transport
Table 6 - COBIT Detailed Application Controls
2.7 Process Maturity Model
The implementation of each process is measured on a maturity scale from 0
meaning non-existent to 5 denoting optimised:
Implementing COBIT for Effective IT Compliance
Page 10 of 12
Figure 5 - Process Maturity Measurement
There is a separate specific maturity model for each of COBIT’s 34 IT processes.
The organisation can evaluate its maturity in its management and control over IT
processes. The maturity scale of 0-5 and associated score is not intended to be
precise. The objective is to identify where issues are and to set priorities for
improvements.
Using this, management can identify the current performance of the enterprise
and the enterprise’s target for improvement.
3. COBIT and Other Governance Frameworks
Implementing COBIT will assist in compliance with other major standards such as
COSO and Sarbanes-Oxley:
Figure 6 - COBIT, COSO and SOX
Because COBIT contains a detailed implementation toolset, it can be used to
provide a framework for implementing other standards. Implementing COBIT can
subsume compliance with many other standards. The following maps other
standards to COBIT in terms of:
• Level of Detail - How detailed are the guidelines in terms of technical or
operational depth.
Implementing COBIT for Effective IT Compliance
Page 11 of 12
• Completeness - How much of COBIT is addressed with the standard, what
is more comprehensively addressed than in COBIT and what is absent
compared to COBIT
Figure 7 - Comparison of COBIT and Other Standards
4. Links
These are some links relating to COBIT where you can find more information.
Link Description
http://www.isaca.org/ Information Systems Audit and Control
Association – co-owner of COBIT
http://www.isaca.org/cobit COBIT Home
http://cobitcampus.isaca.org COBIT Education
http://www.itgi.org/ IT Governance Institute – co-owner of COBIT
http://www.coso.org/ Committee of Sponsoring Organizations of the
Treadway Commission
http://it.safemode.org/ COBIT open initiative
http://www.sox-
online.com/coso_cobit.html
SOX COSO and COBIT Centre
http://www.ogc.gov.uk/index
.asp?id=2261
IT Infrastructure Library home
Implementing COBIT for Effective IT Compliance
Page 12 of 12
http://www.controlit.org/ Support Group for COBIT Users containing COBIT
forums and information
Table 7 - Web Links for More Information