C T Framework: Cobit Cobit

COBIT Framework
<event name>
CobiT
<name of presenter> best practices
repository for
« A high-level overview of IT Processes

the COBIT principles,
IT Management Processes
structure, framework and IT Governance Processes
products»
“This information is copyrighted by the IT Governance Institute and Information Systems

Audit and Control Association. Any commercial use is strictly forbidden. It may, however,
be used for educational or promotional purposes by ISACA members and chapters on a
not-for-profit basis.”
© ITGI, ISACA - not for commercial use.

Why does IT need a control and
governance framework?
Do any of these conditions sound familiar?

Increasing pressure to leverage technology in business strategies
Growing complexity of IT environments
Fragmented IT infrastructures
Demand for technologists outstripping supply
Communication gap between business and IT managers
IT service levels that are disappointing
IT costs perceived to be out of control
Marginal ROI/productivity gains on technology investments
Impaired organisational flexibility and nimbleness to change
User frustration leading to ad hoc solutions
IT managers operating like firefighters

IT Governance Model
PO
AI
DS
MO
IT governance helps ascertain how automated systems:

--Simplify operations
--Cut costs Needs an IT Control Framework
--Increase revenue

COBIT: An IT Control Framework
• Generally applicable and accepted international standard for good

Principles
practice for IT controls

• For application to enterprisewide information systems
• Technology-independent
• Starting from business requirements for information
• Management- and business process owner-oriented
• Based on ISACA's Control Objectives
 Aligned with de jure and de facto standards and regulations
 Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations
 ISO, EDIFACT and others
 Codes of Conduct issued by Council of Europe
 Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT
• Fundamental in achieving IT governance
Concepts
 Starts from the premise that IT needs to deliver the

Plan and Organise
information that the enterprise needs to achieve its
objectives Acquire and Implement
 Promotes process focus and process ownership Deliver and Support
 Divides IT into 34 processes belonging to four Monitor and Evaluate
domains and provides a high-level control objective
for each
 Looks at fiduciary, quality and security needs of Effectiveness
enterprises, providing seven information criteria Efficiency
that can be used to generically define what the Availability
Integrity
business requires from IT
Confidentiality
 Is supported by a set of over 300 detailed control
Reliability
objectives Compliance

Board Briefing
Product Set
Practices
Responsibilities
Executives &
and
Boards
Boards
 Performance measures
Management Guidelines
 Critical success factors
 Maturity models
Business and Technology Management
What is the IT How to assess the IT How to introduce it

Control
control framework
Framework?? Control
control framework
Framework?? in the enterprise ?
Audit, Control
control and
and security
Securityprofessional
Professionals
COBIT Framework Audit Guidelines Implementation Guide
Control Objectives
An open standard at www.isaca.org
Control Practices
IT
Why should an organisation adopt COBIT?
• IT is an important element of Domains

corporate governance and
management accountability.
• Ensure business-oriented solutions. Processes
• Framework for risk assessment

• As a means to communicate with all IT Control Critical Success Factors
stakeholders Objectives Outcome Measures
• Authoritative basis (internationally Key Performance Indicators
accepted, exhaustive, evolving) IT Control Maturity Model
Practices

“To provide the information the organisation needs to

achieve its objectives, IT resources need to be managed
by a set of naturally grouped processes.”
Business
 Relates to business requirements

 Links to business processes
 Empowers business owners
 Decomposed IT into four domains and 34 processes

Process
 Domains: (plan-build-run) + monitor

 Control, audit, implementation and performance
management knowledge structured by process

Framework
BUSINESS
BUSINESS
REQUIREMENTS
REQUIREMENTS
IT
IT PROCESSES
PROCESSES
IT
IT RESOURCES
RESOURCES

COBIT Framework
How do they relate?
IT IT Business
Resources Processes Requirements
 Data  Plan and Organise  Effectiveness

 Information  Acquire and  Efficiency
Systems Implement  Confidentiality
 Technology  Deliver and Support  Integrity
 Facilities  Monitor and Evaluate  Availability
 Compliance
 Human
Resources  Information
Reliability
The
made
COBIT Framework
Theresources
resources
madeavailable
availabletoto
How
HowITITisis
organised
organisedtoto
What
Whatthethe
stakeholders
stakeholders
——and respond
respondtotothe expect
expectfrom
fromITIT
andbuilt
builtup
upbyby requirements
the
—IT
—IT requirements
How do they relate?
IT IT Business
Resources Processes Requirements
 Data  Planning and  Effectiveness

organisation  Efficiency
 Information
Systems  Acquisition and  Confidentiality
implementation  Integrity
 Technology
 Delivery and Support  Availability
 Facilities
 Monitoring  Compliance
 Human
Resources  Information
Reliability
COBIT Framework
Plan and Organise Acquire and Implement

Domains
Topics Topics
 Strategy and tactics  IT solutions
 Vision planned  Changes and maintenance
 Organisation and infrastructure
Questions
Questions  Are new projects likely to deliver
 Are IT and the business strategy solutions that meet business
aligned? needs?
 Is the enterprise achieving optimum  Are new projects likely to deliver
use of its resources? on time and within budget?
 Does everyone in the organisation  Will the new systems work
understand the IT objectives?
properly when implemented?
 Are IT risks understood and being  Will changes be made without
managed?
upsetting current business
 Is the quality of IT systems
operations?
appropriate for business needs?

COBIT Domains
Deliver and Support Monitor and Evaluate

Domains
Topics Topics
 Delivery of required services  Assessment over time, delivering
 Setup of support processes assurance
 Processing by application  Management’s oversight of the
systems control system
Questions  Performance measurement
 Are IT services being delivered in Questions
line with business priorities?  Can IT’s performance be
 Are IT costs optimised? measured and can problems be
 Is the workforce able to use the IT detected before it is too late?
systems productively and safely?  Is independent assurance
 Are adequate security, integrity needed to ensure that critical
and availability in place? areas are operating as intended?

Waterfall Model COBIT Framework
The control of
IT Processes which satisfy
Business
Requirements is enabled by
Control
Statements considering
Control
Practices
4 Domains - 34 Processes - 318 Control Objectives

COBIT Business Objectives PO1 Define a strategic IT plan
PO2 Define the information architecture
Framework
Criteria PO3 Determine the technological direction
•• Effectiveness PO4 Define the IT organisation and relationships
•• Efficiency PO5 Manage the IT investment
•• Confidentiality PO6 Communicate management aims and direction
•• Integrity PO7 Manage human resources
•• Availability
•• Compliance PO8 Ensure compliance with external requirements
•• Reliability PO9 Assess risks
PO10 Manage projects
M1 Monitor the process IT PO11 Manage quality
M2 Assess internal control adequacy RESOURCES
M3 Obtain independent assurance
M4 Provide for independent audit • Data
• Application systems
• Technology
• Facilities
• People PLAN AND
ORGANISE
MONITOR AND
EVALUATE
ACQUIRE AND
IMPLEMENT
DS1 Define service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users DELIVER AND
DS8 Assist and advise IT customers SUPPORT AI1 Identify automated solutions
DS9 Manage the configuration
AI2 Acquire and maintain application software
DS10 Manage problems and incidents
AI3 Acquire and maintain technology infrastructure
DS11 Manage data
AI4 Develop and maintain IT procedures
DS12 Manage facilities
AI5 Install and accredit systems
DS13 Manage operations
AI6 Manage changes

Practices
Responsibilities
Executives & Boards
COBIT Products
 Maturity models

Control Framework ? Control Framework ? in the enterprise ?
Audit, control and security professional
Board Briefing on IT Governance

 Based on COBIT, it provides help to understand:
• Why IT governance is important
• What the issues are
• Which management responsibilities are involved
 Addressed to boards of directors, supervisory boards, audit
committees, chief executive officers, chief information officers
and other executive management
 Provides:
• Background on governance
• A simple IT governance framework
• Questions board members should ask
• Good practices and critical success factors
• Performance measures board members can track
• A maturity model against for benchmarking
• Roles and responsibilities of those involved
Practices
Responsibilities
Executives & Boards
COBIT Products
 Maturity models

Control Objectives
COBIT provides a set of 34 high-level control objectives, one for each of the IT
processes, grouped into four domains: Plan and Organise, Acquire and Implement,
Deliver and Support, and Monitor and Evaluate. This structure covers all aspects of
information and the technology that supports it. By addressing these 34 high-level
control objectives, the business process owner can ensure that an adequate control
system is provided for the IT environment.

Control Practices
IT control practices expand the capabilities of COBIT by providing the practitioner
with an additional level of detail. The COBIT IT processes, business requirements and
detailed control objectives define what needs to be done to implement an effective
control structure. The IT control practices provide the more detailed how and why
needed by management, service providers, end users and control professionals to
implement highly specific controls based on an analysis of operational and IT risks.

Practices
Responsibilities
Executives & Boards
COBIT Products
 Maturity models

Management Guidelines
 Provide management direction for:
• Getting the enterprise's information and related processes under control
• Monitoring achievement of organisational goals
• Monitoring and improving performance within each IT process
• Benchmarking organisational achievement
 Action-oriented and generic
 Provide answers to typical management questions:
• How far should we go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?
• What are the critical success factors?
• What are the risks of not achieving our objectives?
• What do others do? How do we measure and compare?

Practices
Responsibilities
Executives & Boards
COBIT Products
 Maturity models

COBIT Online
COBIT Online is, as its name suggests, an online offering of C OBIT, including full
browsing and searching capabilities, benchmarking functions, downloads, a discussion
area and the capacity to customise and create the user's own version of C OBIT.
IT Governance Implementation Guide

The objective of this implementation guide is to provide readers with a methodology,
using COBIT, for implementing and improving IT governance. The guide is focused on a
generic methodology for implementing IT governance, covering the following subjects:
• Why IT governance is important and why organisations should implement it
• The IT governance life cycle and the COBIT framework
• How COBIT is linked to IT governance and how COBIT enables the implementation of IT
governance
• The stakeholders who have an interest in IT governance
• A road map for implementing IT governance using COBIT

COBIT Online

Road Map Approach

• Identify needs  Business value and risk analysis
• Envision the solution  As-is and to-be positions
• Plan the solution  Gap analysis
• Implement the solution  Project identification and
initiation
Biggest Challenge = Sustainable Solutions

 Establish policy, objectives and targets
 Implement policy, responsibilities, processes and procedures
 Measure performance against policy and external best practice
 Take corrective and preventive action and continuously improve
 Measure success of the change projects
 Provide feedback into other improvement projects

Feedback
Raise
Analyse
awareness Select
values Post-
& make processes
and risks implement.
decision
review
Identify needs
Define Define
Analyse
where you where you
gaps
are want to be
Envision the solution

Develop &
Define
Implementation projects
implement
change plan
Road Map Plan the solution

Integrate
into day-to- Integrate
day measures
practices into ITBSC
Implement the solution

Implementation
Manual

Practices
Responsibilities
Executives & Boards
COBIT Products
 Maturity models

Quickstart
 Objective is also to assist management in implementing IT
governance.
 Focuses on small and medium-sized enterprises (SMEs), and
other entities where:
• IT is not strategic or absolutely critical for survival.
• Breadth and depth of COBIT is too detailed, too time-
consuming to analyse and focus on.
 Provides a selection of the complete COBIT framework
 A baseline and a set of smart things to do
 A starting point for other enterprises in their move towards
an appropriate level of control and governance of IT

COBIT QuickStart
As Is
To Be
PO – Plan and Organise

Conclusion—COBIT Values
PRESENT Sharing knowledge and leveraging expert volunteers

Internationally accepted good practices
Continually evolves
Maintained by reputable not-for-profit organisation
Maps strongly onto all major related standards
Is management-oriented
Is supported by tools and training
Maps completely to ISO17799 and COSO
FUTURE Provide action-oriented solutions

The COBIT Framework
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
+1.847.590.7491
info@itgi.org
info@isaca.org
www.isaca.org
www.itgi.org

C T Framework: Cobit Cobit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C T Framework: Cobit Cobit

Uploaded by

Copyright:

Available Formats

COBIT Framework

« A high-level overview of IT Processes

“This information is copyrighted by the IT Governance Institute and Information Systems

© ITGI, ISACA - not for commercial use.

Do any of these conditions sound familiar?

© ITGI, ISACA - not for commercial use.

IT governance helps ascertain how automated systems:

© ITGI, ISACA - not for commercial use.

• Generally applicable and accepted international standard for good

practice for IT controls

 Starts from the premise that IT needs to deliver the

© ITGI, ISACA - not for commercial use.

Business and Technology Management

What is the IT How to assess the IT How to introduce it

COBIT Framework Audit Guidelines Implementation Guide

• IT is an important element of Domains

• Framework for risk assessment

© ITGI, ISACA - not for commercial use.

“To provide the information the organisation needs to

 Relates to business requirements

 Decomposed IT into four domains and 34 processes

 Domains: (plan-build-run) + monitor

© ITGI, ISACA - not for commercial use.

© ITGI, ISACA - not for commercial use.

 Data  Plan and Organise  Effectiveness

 Data  Planning and  Effectiveness

Plan and Organise Acquire and Implement

© ITGI, ISACA - not for commercial use.

Deliver and Support Monitor and Evaluate

© ITGI, ISACA - not for commercial use.

4 Domains - 34 Processes - 318 Control Objectives

© ITGI, ISACA - not for commercial use.

Business and Technology Management

What is the IT How to assess the IT How to introduce it

Audit, control and security professional

Board Briefing on IT Governance

Business and Technology Management

What is the IT How to assess the IT How to introduce it

Audit, control and security professional

© ITGI, ISACA - not for commercial use.

Business and Technology Management

What is the IT How to assess the IT How to introduce it

Audit, control and security professional

© ITGI, ISACA - not for commercial use.

Business and Technology Management

What is the IT How to assess the IT How to introduce it

Audit, control and security professional

IT Governance Implementation Guide

© ITGI, ISACA - not for commercial use.

© ITGI, ISACA - not for commercial use.

Road Map Approach

Biggest Challenge = Sustainable Solutions

© ITGI, ISACA - not for commercial use.

Envision the solution

Road Map Plan the solution

Implement the solution

© ITGI, ISACA - not for commercial use.

© ITGI, ISACA - not for commercial use.

Business and Technology Management

What is the IT How to assess the IT How to introduce it

Audit, control and security professional

© ITGI, ISACA - not for commercial use.

© ITGI, ISACA - not for commercial use.