COBIT Framework

Introduction
 Problems with IT?
Increasing pressure to leverage technology in business
strategies
Growing complexity of IT environments
Fragmented IT infrastructures
Communication gap between business and IT managers
IT service levels that are disappointing from internal IT
functions and from increasingly outsourced IT providers
IT costs perceived to be out of control
Marginal ROI/productivity gains on technology investments
Impaired organisational flexibility and nimbleness to change
User frustration leading to ad hoc solutions
 IT Governance
The purpose of IT governance is to direct IT
endeavors, to ensure that ITs performance meets
the following objectives:
Alignment of IT with the enterprise and
realisation of the promised benefits
Use of IT to enable the enterprise by exploiting
opportunities and maximising benefits
Responsible use of IT resources
Appropriate management of IT-related risks
Focus Areas of IT Governance
 Why do we need a Framework?
Increasing dependence on information and the
systems that deliver this information
Increasing vulnerabilities and a wide spectrum of
threats, such as cyberthreats and information warfare
Scale and cost of the current and future investments
in information and information systems
The need to comply with regulations
The potential for technologies to dramatically change
organisations and business practices, create new
opportunities and reduce costs
Recognition by many organisations of the potential
benefits that technology can yield
 Successful organisations understand and manage the
risks associated with implementing new technologies.
Firms need to ensure that -
1. IT provides value - Cost, time and functionality are as
expected
2. IT does not provide surprises - Risks are mitigated
3. IT pushes the envelope - New opportunities and
innovations for process, product and services
 Who Needs a Framework?
Board and Executive
To ensure management follows and implements the strategic
direction for IT
Management
To make IT investment decisions
To balance risk and control investment
To benchmark existing and future IT environment
Users
To obtain assurance on security and control of products and services
they acquire internally or externally
Auditors
To substantiate opinions to management on internal controls
To advise on what minimum controls are necessary
 COBIT
Control Objectives for Information and related
Technology (COBIT) is a set of best practices
(framework) for IT management created by the
Information systems audit and control association
(ISACA),
1. Incorporates major international standards
2. Has become the de facto standard for overall control
over IT
3. Starts from business requirements
4. Is process-oriented
 COBIT: Basics?

Starts from the premise that IT needs to

deliver the information that the enterprise
needs to achieve its objectives Plan and Organise
Promotes process focus and process Acquire and Implement
ownership Deliver and Support
Divides IT into 34 processes belonging to four
Monitor and Evaluate
domains and provides a high-level control
objective for each
Considers fiduciary, quality and security needs Effectiveness
of enterprises, providing seven information Efficiency
criteria that can be used to generically define Availability
what the business requires from IT Integrity
Confidentiality
Is
supported by a set of over 300 detailed
Reliability
control objectives
Compliance