T2P: Truth to Power - COBIT (Control Objectives for Informatio

Glossary of terms used in the Open IT Policy Project

All A B C D E F G I L O P R S T V W

Term	Definition
COBIT (Control Objectives for Informatio	COBIT (Control Objectives for Information and related Technology) is a widely adopted framework for information technology (IT) management issued by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. History and Overview COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model. COBIT has 34 high-level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings. The first edition of COBIT was published in 1996. The second edition, in 1998, added Management Guidelines. The third edition was released in 2000 (the on-line edition became available in 2003); and the fourth edition was released in December 2005, being revised and receiving the 4.1 edition in May 2007. COBIT Version 4 has significant advantages over COBIT 3 by consolidating most of the separate books into a single volume for ease of use. New subsections for each process include: Cross-references of inputs and outputs to/from other COBIT processes (which can help rationalize finger-pointing) Activities for each process, with the RACI diagram for each activity (showing what the CFO, CEO, IT Service Manager, Development Manager, etc should do or be involved in) COBIT Version 4.1 is the current version, available from ISACA web site. COBIT consists of six publications: Executive Summary Framework Control Objectives Audit Guidelines Implementation Tool Set Management Guidelines Structure COBIT covers four domains: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate Plan and Organize The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain. High-level control objectives PO1 Define a Strategic IT Plan and direction PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess and Manage IT Risks PO10 Manage Projects PO11 Manage Quality Acquire and Implement The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain. High-level control objectives AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Delivery and Support The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain. High-level control objectives DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor and Evaluate The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain. High-level control objectives ME1 Monitor and Evaluate IT Processes ME2 Monitor and Evaluate Internal Contro ME3 Ensure Regulatory Compliance ME4 Provide IT Governance COBIT in Relation to Other Standards COBIT and ISO/IEC 17799:2005 COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 17799 ISO/IEC 17799:2005 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area of IT management while ISO/IEC 17799 focuses on information security management. COBIT and Sarbanes-Oxley Public companies subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Internal Control - Integrated Framework.” In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework. COSO Internal Control — Integrated Framework states that internal control is a process—established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains. COBIT and other international standards For more international standards, see [http://www.isaca.org/Template.cfm?Section=COBIT_Mapping1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=30523 ISACA COBIT Mappings]. COBIT is also addressed by the Information Security Forum in its Standard of Good Practice and other documents. References ISACA COBIT Open Guide ControlIT User Group COBITCampus, COBIT education offerings from ISACA

Term

Definition

COBIT (Control Objectives for Informatio

COBIT (Control Objectives for Information and related Technology) is a widely adopted framework for information technology (IT) management issued by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

History and Overview

COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

COBIT has 34 high-level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.

COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.

The first edition of COBIT was published in 1996. The second edition, in 1998, added Management Guidelines. The third edition was released in 2000 (the on-line edition became available in 2003); and the fourth edition was released in December 2005, being revised and receiving the 4.1 edition in May 2007.

COBIT Version 4 has significant advantages over COBIT 3 by consolidating most of the separate books into a single volume for ease of use. New subsections for each process include:

Cross-references of inputs and outputs to/from other COBIT processes (which can help rationalize finger-pointing)
Activities for each process, with the RACI diagram for each activity (showing what the CFO, CEO, IT Service Manager, Development Manager, etc should do or be involved in)

COBIT Version 4.1 is the current version, available from ISACA web site.

COBIT consists of six publications:

Executive Summary
Framework
Control Objectives
Audit Guidelines
Implementation Tool Set
Management Guidelines

Structure

COBIT covers four domains:

Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate

Plan and Organize

The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.

High-level control objectives

PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess and Manage IT Risks
PO10 Manage Projects
PO11 Manage Quality

Acquire and Implement

The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.

High-level control objectives

AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Delivery and Support

The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.

High-level control objectives

DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Monitor and Evaluate

The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.

High-level control objectives

ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Contro
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

COBIT in Relation to Other Standards

COBIT and ISO/IEC 17799:2005

COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 17799 ISO/IEC 17799:2005 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area of IT management while ISO/IEC 17799 focuses on information security management.

COBIT and Sarbanes-Oxley

Public companies subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Internal Control - Integrated Framework.” In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.

COSO Internal Control — Integrated Framework states that internal control is a process—established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains. COBIT and other international standards

For more international standards, see [http://www.isaca.org/Template.cfm?Section=COBIT_Mapping1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=30523 ISACA COBIT Mappings]. COBIT is also addressed by the Information Security Forum in its Standard of Good Practice and other documents.

References

ISACA
COBIT Open Guide
ControlIT User Group
COBITCampus, COBIT education offerings from ISACA

Glossary 2.7 uses technologies including PHP and SQL

What Is Truth to Power?

Feel the Power

History and Overview

Structure

Plan and Organize

High-level control objectives

Acquire and Implement

High-level control objectives

Delivery and Support

High-level control objectives

Monitor and Evaluate

High-level control objectives

COBIT in Relation to Other Standards

COBIT and ISO/IEC 17799:2005

COBIT and Sarbanes-Oxley

References

T2P RECOMMENDS:

T2P RECOMMENDS:

T2P RECOMMENDS: