CoBIT
From ChekMate Security Group
COBIT, or Control Objectives for Information and related Technology, is a framework for information security created by ISACA, the Information Systems Audit and Control Association, and the ITGI (IT Governance Institute). Control Objectives for Information and Related Technology, or COBIT, provides managers, auditors, and IT users with a set of generally accepted information technology control objectives to assist them in maximizing the benefits derived through the use information technology and developing the appropriate IT governance and control in a company. In its 3rd edition, COBIT has 34 high level objectives that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitor.
It comprises six elements: management guidelines, control objectives, COBIT framework, executive summary, audit guidelines and an implementation toolset. All are documented in separate volumes.
It was developed by the IT Governance Institute and the Information Systems Audit and Control Foundation in 1992 when the control objectives relevant to information technology were first identified. The first edition was published in 1996; the second edition in 1998; the third edition in 2000, and the on-line edition became available in 2003. It has more recently found favour due to external developments, especially the Enron scandal and the subsequent passage of the Sarbanes-Oxley Act.
The COBIT mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
Contents |
COBIT Structure
COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation for which IT related decisions and investments can be based upon. Decision making is more effective because COBIT aides management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them if the applications that aide in the gathering, processing, and reporting of information complies with COBIT since it implies controls and security are in place to govern the processes. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.
COBIT covers four domains:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitor
Planning and Organization
The Planning and Organization domain covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.
| PO1 | PO1 - Define a Strategic IT Plan | ||||||||||||
| PO2 | PO2 - Define the Information Architecture | ||||||||||||
| PO3 | PO3 - Determine Technological Direction | ||||||||||||
| PO4 | PO4 - Define the IT Organization and Relationships | ||||||||||||
| PO5 | PO5 - Manage the IT Investment | ||||||||||||
| PO6 | PO6 - Communicate Management Aims and Direction | ||||||||||||
| PO7 | PO7 - Manage Human Resources | ||||||||||||
| PO8 | PO8 - Ensure Compliance with External Requirements | ||||||||||||
| PO9 | PO9 - Assess Risks | ||||||||||||
| PO10 | PO10 - Manage Projects | ||||||||||||
| PO11 | PO11 - Manage Quality |
Acquisition and Implementation
The Acquisition and Implementation domain addresses the company’s strategy in identifying its IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.
| AI1 | AI1 - Identify Automated Solutions | ||||||||||||
| AI2 | AI2 - Acquire and Maintain Application Software | ||||||||||||
| AI3 | AI3 - Acquire and Maintain Technology Infrastructure | ||||||||||||
| AI4 | AI4 - Develop and Maintain Procedures | ||||||||||||
| AI5 | AI5 - Install and Accredit Systems | ||||||||||||
| AI6 | AI6 - Manage Changes |
Delivery and Support
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.
| DS1 | DS1 - Define and Manage Service Levels | ||||||||||||
| DS2 | DS2 - Manage Third-Party Services | ||||||||||||
| DS3 | DS3 - Manage Performance and Capacity | ||||||||||||
| DS4 | DS4 - Ensure Continuous Service | ||||||||||||
| DS5 | DS5 - Ensure Systems Security | ||||||||||||
| DS6 | DS6 - Identify and Allocate Costs | ||||||||||||
| DS7 | DS7 - Educate and Train Users | ||||||||||||
| DS8 | DS8 - Assist and Advise Customers | ||||||||||||
| DS9 | DS9 - Manage the Configuration | ||||||||||||
| DS10 | DS10 - Manage Problems and Incidents | ||||||||||||
| DS11 | DS11 - Manage Data | ||||||||||||
| DS12 | DS12 - Manage Facilities | ||||||||||||
| DS13 | DS13 - Manage Operations |
Monitor
The Monitor domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.
| M1 | M1 - Monitor the Processes | ||||||||||||
| M2 | M2 - Assess Internal Control Adequacy | ||||||||||||
| M3 | M3 - Obtain Independent Assurance | ||||||||||||
| M4 | M4 - Provide for Independent Audit |
COBIT and Other Standards
COBIT and ISO/IEC 17799:2000
The two international standards used today are COBIT and ISO/IEC 17799:2000. COBIT (Control Objectives for Information and related Technology) was released and used primarily by the IT community. In 1998, Management Guidelines were added, and COBIT became the internationally accepted framework for IT governance and control. ISO 17799ISO/IEC 17799:2000 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area while ISO/IEC 17799 is deeply focused in the area of security.
The table below describes the inter-relation of the two standards as well as how ISO/IEC 17799 can be integrated with COBIT.
| COBIT DOMAIN | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| Plan and Organize | - | + | - | - | + | + | + | + | - | - | 0 | . | . |
| Acquire and Implement | + | 0 | 0 | - | 0 | + | . | . | . | . | . | . | . |
| Deliver and Support | - | + | 0 | + | + | . | + | 0 | 0 | 0 | + | . | . |
| Monitor and Evaluate | - | 0 | - | 0 | . | . | . | . | . | . | . | + | + |
COBIT and Sarbanes Oxley
Public companies that are subject to the U.S. Sarbanes Oxley Act of 2002 are required to adopt the following control frameworks: the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework and the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT). In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.
COSO Internal Control Integrated Framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. COBIT is extended to cover quality and security requirements in seven overlapping categories, which include effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. These categories form the foundation for COBIT’s control objectives. The two frameworks also have different audiences. COSO is useful for management at large, while COBIT is useful for management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains.
Reference
- COBIT Wiki Dedicated wiki
- ISACA Custodians of COBIT
- COBIT User Forum The main COBIT User Group
- A Comparison of Internal Controls: COBIT®, SAC, COSO and SAS 55/78
- Mapping COSO and CobiT for Sarbanes-Oxley Compliance
- Two Views of Internal Controls: COBIT and the ITCG
- Slides 4,6,10,16
- http://www.eminentco.com/workshops/cobit/COBIT%20OVERVIEW.htm
- http://www.wtlconsultant.biz/CobiThtml.html
- Senft, Sandra; Manson, Danial P. PhD; Gonzales, Carol; Gallegos, Frederick (2004). Information Technology Control and Audit (2nd Ed.). Auerbach Publications. ISBN 0849320321. Page 125.
