© ITGI, ISACA - not for commercial use. A High-level Overview of the C OBI T Principles, Structure, and Framework John R. Robles 787-647-3961 [email protected]

© ITGI, ISACA - not for commercial use.

A High-level Overview of the COBIT Principles,

Structure, and Framework

John R. [email protected]

ISACA PR - 5th Symposium

COBIT Framework

“This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden.

It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not-for-profit basis.”

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for


Why does IT need a control and governance framework?

Do any of these conditions sound familiar?Increasing pressure to leverage technology in business strategies

Growing complexity of IT environments

Fragmented IT infrastructures

Demand for technologists outstripping supply

Communication gap between business and IT managers

IT service levels that are disappointing

IT costs perceived to be out of control

Marginal ROI/productivity gains on technology investments

Impaired organisational flexibility and nimbleness to change

User frustration leading to ad hoc solutions

IT managers operating like firefighters


PO AI DS MO

IT Governance Model

IT governance helps ascertain how automated systems: --Simplify operations --Cut costs --Increase revenue

Needs an IT Control Framework


• Generally applicable and accepted international standard for good practice for IT controls

• For application to enterprisewide information systems• Technology-independent• Starting from business requirements for information• Management- and business process owner-oriented• Based on ISACA's Control Objectives

Aligned with de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus

• Includes existing standards and regulations ISO, EDIFACT and others Codes of Conduct issued by Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA,

etc.

• First published in April 1996, second edition in 1998, third in July 2000

• Has become the de facto standard for control over IT• Fundamental in achieving IT governance

• Generally applicable and accepted international standard for good practice for IT controls

• For application to enterprisewide information systems• Technology-independent• Starting from business requirements for information• Management- and business process owner-oriented• Based on ISACA's Control Objectives

Aligned with de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus

• Includes existing standards and regulations ISO, EDIFACT and others Codes of Conduct issued by Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA,

etc.

• First published in April 1996, second edition in 1998, third in July 2000

• Has become the de facto standard for control over IT• Fundamental in achieving IT governance

COBIT: An IT Control Framework P

rin

cip

les


Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives

Promotes process focus and process ownership Divides IT into 34 processes belonging to four

domains and provides a high-level control objective for each

Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT

Is supported by a set of over 300 detailed control objectives

EffectivenessEfficiencyAvailabilityIntegrityConfidentialityReliabilityCompliance

Plan and OrganiseAcquire and ImplementDeliver and SupportMonitor and Evaluate

COBIT: An IT Control Framework C

on

cep

ts


ITIT

DomainsDomains

ProcessesProcesses

IT Control IT Control ObjectivesObjectives

Critical Success FactorsCritical Success Factors

Outcome MeasuresOutcome Measures

Key Performance IndicatorsKey Performance Indicators

Maturity ModelMaturity ModelIT Control IT Control PracticesPractices

• IT is an important element of corporate governance and management accountability.

• Ensure business-oriented solutions. • Framework for risk assessment• As a means to communicate with all

stakeholders• Authoritative basis (internationally

accepted, exhaustive, evolving)

Why should an organisation adopt COBIT?

COBIT: An IT Control Framework


“To provide the information the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”

Relates to business requirements Links to business processes Empowers business owners

Decomposed IT into four domains and 34 processes Domains: (plan-build-run) + monitor Control, audit, implementation and performance

management knowledge structured by process

Bu

sin

es

sP

roces

s



Fra

mew

ork


BUSINESSREQUIREMENTS

IT PROCESSES

IT IT RESOURCES


Data Information

Systems Technology Facilities Human

Resources

Plan and Organise Acquire and

Implement Deliver and Support Monitor and

Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

COBIT Framework H

ow

do t

hey

rela

te?

ITProcesses

BusinessRequirements

ITResources


IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements

Business Requirements

Data Information

Systems Technology Facilities Human

Resources

Planning and organisation

Acquisition and implementation

Delivery and Support

Monitoring

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

COBIT Framework H

ow

do t

hey

rela

te?

How IT is organised to

respond to the requirements

How IT is organised to

respond to the requirements

What the stakeholders

expect from IT

What the stakeholders

expect from IT

The resources made available to— and built up by

—IT

The resources made available to— and built up by

—IT


Processes

A series of joined activities with natural control breaks

Activities or tasks

Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.

Domains

Natural grouping of processes, often matching an organisational domain of responsibility

COBIT Framework I

T P

rocesses

IT IT ProcessesProcesses


IT IT ResourcesResources





Data: Data objects in their widest sense, i.e., external and internal, structured and unstructured, graphics, sound, etc.

Application Systems: Understood to be the sum of manual and programmed procedures

Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc.

Facilities: Resources to house and support information systems

People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services

COBIT Framework IT

Resou

rces








IT Domains• Plan and

Organise• Acquire and

Implement• Deliver and

Support• Monitor and

Evaluate

IT Processes• IT Strategy• Policy and Procedures• Feasibility Study• Acceptance Testing• Change Management• Contingency Planning• Problem Management

Activities• Record New Problem• Analyse• Propose Solution• Monitor Solution• Record Known Problem• Etc.

Natural grouping of processes, often matching an organisational domain of responsibility

A series of joined activities with natural (control) breaks

Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.

COBIT Framework IT IT ProcessesProcesses







Topics Strategy and tactics Vision planned Organisation and infrastructure

Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?

Domain: Plan and Organise (PO)

COBIT Domains


PO1—Define a strategic IT plan PO2—Define the information architecture PO3—Determine the technological direction PO4—Define the IT processes, organization

and relationships PO5—Manage the IT investment PO6—Communicate management aims and

direction PO7—Manage IT human resources PO8—Manage quality PO9—Assess and manage IT risks PO10—Manage projects.

Plan and Organise


Topics

IT solutions Changes and maintenance

Questions Are new projects likely to deliver solutions that meet business needs? Are new projects likely to deliver on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations?

Domain: Acquire and Implement (AI)

COBIT Domains


AI1—Identify automated solutions

AI2—Acquire and maintain application software

AI3—Acquire and maintain technology infrastructure

AI4—Enable operation and use

AI5—Procure IT resources

AI6—Manage changes

AI7—Install and accredit solutions and changes

Acquire and Implement


Topics

Delivery of required services Setup of support processes Processing by application systems

Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use the IT systems productively and safely? Are adequate security, integrity and availability in place?

Domain: Deliver and Support (DS)

COBIT Domains


DS1—Define and manage service levels DS2—Manage third-party services DS3—Manage performance and capacity DS4—Ensure continuous service DS5—Ensure systems security DS6—Identify and allocate costs DS7—Educate and train users DS8—Manage service desk and incidents DS9—Manage the configuration DS10—Manage problems DS11—Manage data DS12—Manage the physical environment DS13—Manage operations

Deliver and Support


Topics

Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement

Questions Can IT’s performance be measured and can problems be detected

before it is too late? Is independent assurance needed to ensure that critical areas are

operating as intended?

Domain: Monitor and Evaluate (ME)

COBIT Domains


ME1—Monitor and evaluate IT performanceME2—Monitor and evaluate internal controlME3—Ensure regulatory complianceME4—Provide IT governance

Monitor and Evaluate


The control of

IT Processes which satisfy

is enabled byControl

Statements consideringControl

Practices

COBIT Framework W

ate

rfall

Mod

el

4 Domains - 34 Processes - 215 Control Objectives



PO1—Define a strategic IT planPO2—Define the information architecturePO3—Determine the technological directionPO4—Define the IT processes, organization and relationshipsPO5—Manage the IT investment PO6—Communicate management aims and directionPO7—Manage IT human resourcesPO8—Manage qualityPO9—Assess and manage IT risksPO10—Manage projects

AI1—Identify automated solutionsAI2—Acquire and maintain application softwareAI3—Acquire and maintain technology infrastructure AI4—Enable operation and useAI5—Procure IT resourcesAI6—Manage changesAI7—Install and accredit solutions and changes

ME1—Monitor and evaluate IT performanceME2—Monitor and evaluate internal controlME3—Ensure regulatory complianceME4—Provide IT governance

DS1—Define and manage service levelsDS2—Manage third-party servicesDS3—Manage performance and capacityDS4—Ensure continuous serviceDS5—Ensure systems securityDS6—Identify and allocate costsDS7—Educate and train usersDS8—Manage service desk and incidentsDS9—Manage the configurationDS10—Manage problemsDS11—Manage dataDS12—Manage the physical environmentDS13—Manage operations

MONITOR AND EVALUATE

MONITOR AND EVALUATE

Business Objectives

IT RESOURCES

IT RESOURCES

• Data• Application systems• Technology• Facilities• People

• Data• Application systems• Technology• Facilities• People PLAN AND

ORGANISEPLAN AND ORGANISE

ACQUIRE ANDIMPLEMENT

ACQUIRE ANDIMPLEMENT

DELIVER AND SUPPORT

DELIVER AND SUPPORT

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

CriteriaCOBIT

Framework


PO1 Define a strategic IT planPO3 Determine the technological directionPO5 Manage the IT investmentPO9 Assess and manage IT risksPO10 Manage projectsAI1 Identify automated solutionsAI2 Acquire and maintain application s/wAI5 Procure IT resourcesAI6 Manage changesDS1 Define and manage service levelsDS4 Ensure continuous serviceDS5 Ensure systems securityDS10 Manage problemsDS11 Manage dataME1 Monitor and evaluate IT performance

The Most Important IT Processes

3434

1515

77

SurveySurvey


High-level Control ObjectiveOne per process

Detailed Control ObjectivesThree to 30 per process

Control PracticesFive to seven per control objective

COBIT—Content


Based on the 41 primary references

Developed following a rigorous research process

Three to 30 detailed control objectives for each of the 34 processes

Directed to IT management, IT staff, control and audit functions and business process owners

For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional.

Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers.

COBIT Control Objectives


AI6 MANAGE CHANGES

6.1 Change Request Initiation and ControlIT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request.

6.2 Impact AssessmentA procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality.

6.3 Control of ChangesIT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems.

6.4 Emergency ChangesIT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation.

COBIT Control Objectives


IT control practices are key control mechanisms that support: The achievement of control objectives The prevention, detection and correction of undesired events

IT control practices achieve that through: Responsible use of resources Appropriate management of risk Alignment of IT with business

Translate COBIT ’s control objectives into detailed, implementable practices and provide the business argumentation for implementation, from a value and a risk perspective

COBIT IT Control Practices


COBIT IT Control Practices


1. Management has defined parameters, characteristics and procedures that allow it to identify and declare emergencies.

2. All emergency changes are documented, if not before, then after implementation.

3. All emergency changes are tested, if not before, then after implementation.

4. All emergency changes are formally authorised by the system owner and management, before implementation.

5. Before and after images as well as intervention logs are retained for subsequent review.

Controlling emergency changes by implementing the control practices will : Ensure emergency procedures are used in declared emergencies only Ensure urgent changes can be implemented without compromising confidentiality, integrity, availability, reliability and accuracy

AI6 Manage ChangeAI6.4 Emergency ChangesIT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation.

IT Control Practices Why do it?

COBIT—Example Process


To improve audit approach/programs To support audit work with detailed audit

guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programs

How Is COBIT Used? (Results from Surveys)

The COBIT Framework


COBIT—Benefits

WhatComfort about:• Dependence on IT• IT risks are mitigated• IT delivers valueAssurance of: • Cost down and revenue up• Business operations improved• Service levels maintained

Who• Executive• Business manager• IT manager• Project manager• Developer• Operations staff• User• Security officer• Auditor


Helps substantially increase acceptance and reduce time needed to implement IT governance program

Provides a guide for formal audits/reviews

Helps use results of audits as an opportunity to plan improvements

Strong factor in achieving primary goals for IT governance—transform organisational practices and pursue improved processes

Provides economical continuous improvement framework

Management's decision on controls needed was based on a credible source (COBIT)

IT operations manager impressed with COBIT's ability to help him understand what auditors want

Ideal for business management

Reliable source reference that ensures identification of all major risk areas

Improves communications and relations with IT management

Why Is COBIT Used? (Testimonials from Case Studies)

The COBIT Framework


COBIT Products

Management Guidelines Provide management direction for:

• Getting the enterprise's information and related processes under control

• Monitoring achievement of organisational goals

• Monitoring and improving performance within each IT process

• Benchmarking organisational achievement Action-oriented and generic Provide answers to typical management questions:

• How far should we go in controlling IT, and is the cost justified by the benefit?

• What are the indicators of good performance?

• What are the critical success factors?

• What are the risks of not achieving our objectives?

• What do others do? How do we measure and compare?

PracticesResponsibilities

Executives & BoardsExecutives & Boards

Business and Technology ManagementBusiness and Technology Management

Performance measuresPerformance measures

Critical success factorsCritical success factors

Maturity modelsMaturity models

Audit, control and security professional Audit, control and security professional

What is the ITWhat is the ITControl Framework ?Control Framework ?

How to assess the ITHow to assess the ITControl Framework ?Control Framework ?

How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
































Biggest Challenge = Sustainable Solutions Establish policy, objectives and targets Implement policy, responsibilities, processes and

procedures Measure performance against policy and external best

practice Take corrective and preventive action and continuously

improve Measure success of the change projects Provide feedback into other improvement projects

•Identify needs•Envision the solution•Plan the solution•Implement the solution

Road Map Approach Business value and risk

analysis As-is and to-be positions Gap analysis Project identification and

initiation

IT Governance Implementation Guide


Raise awareness

& make decision

Analyse values

and risks

Select processes

Identify needs

Define projects

Develop & implement

change plan

Plan the solution

Integrate into day-to-

day practices

Integrate measures into ITBSC

Implement the solution

Define where you

are

Define where you want to be

Analyse gaps

Envision the solution

ImplementationRoad Map

Post- implement.

review

Feedback



ImplementationImplementationManualManual



Conclusion—COBIT Values

Sharing knowledge and leveraging expert volunteersInternationally accepted good practicesContinually evolvesMaintained by reputable not-for-profit organisationMaps strongly onto all major related standardsIs management-orientedIs supported by tools and trainingMaps completely to ISO17799 and COSO

Provide action-oriented solutionsFUTURE

PRESENT


Summary of CobiT 4.0 Domains and Processes

PLAN AND ORGANISE PO1—Define a strategic IT plan PO2—Define the information architecture PO3—Determine the technological direction PO4—Define the IT processes, organization

and relationships PO5—Manage the IT investment PO6—Communicate management aims and

direction PO7—Manage IT human resources PO8—Manage quality PO9—Assess and manage IT risks PO10—Manage projects

ACQUIRE AND IMPLEMENT AI1—Identify automated solutions AI2—Acquire and maintain application

software AI3—Acquire and maintain technology

infrastructure AI4—Enable operation and use AI5—Procure IT resources AI6—Manage changes AI7—Install and accredit solutions and changes

DELIVER AND SUPPORT DS1—Define and manage service levels DS2—Manage third-party services DS3—Manage performance and capacity DS4—Ensure continuous service DS5—Ensure systems security DS6—Identify and allocate costs DS7—Educate and train users DS8—Manage service desk and incidents DS9—Manage the configuration DS10—Manage problems DS11—Manage data DS12—Manage the physical environment DS13—Manage operations

MONITOR AND EVALUATE ME1—Monitor and evaluate IT performance ME2—Monitor and evaluate internal control ME3—Ensure regulatory compliance ME4—Provide IT governance


IT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 [email protected]@isaca.orgwww.isaca.orgwww.itgi.org

John R. Robles and [email protected]

The COBIT Framework

Documents

© ITGI, ISACA - not for commercial use. A High-level Overview of the C OBI T Principles, Structure, and Framework John R. Robles 787-647-3961 [email protected]