Implementing COBIT for Effective IT Compliance
Contents 1. INTRODUCTION TO COBIT .............................................................................. 1 2. COBIT ............................................................................................................. 3 2.1 COBIT STRUCTURE ........................................................................................... 3 2.2 COBIT DOMAIN AND PROCESS STRUCTURE ............................................................... 4 2.3 INFORMATION MEASUREMENT CRITERIA ................................................................... 6 2.4 PROCESS GOALS AND METRICS ............................................................................. 7 2.5 GENERIC PROCESS CONTROLS............................................................................... 8 2.6 GENERIC APPLICATION CONTROLS .......................................................................... 9 2.7 PROCESS MATURITY MODEL ................................................................................. 9 3. COBIT AND OTHER GOVERNANCE FRAMEWORKS .......................................... 10 4. LINKS ........................................................................................................... 11
1. Introduction to COBIT This article is intended to be a brief introduction to the Control Objectives for Information and related Technology (COBIT). COBIT is a substantial topic. The links at the end of this article will provide a starting point for more information. COBIT fits into the increasingly crowded landscape of corporate governance, regulation and compliance rules and standards: Sarbanes-Oxley, BASEL II, ISO 17799/ BS 7799, Know Your Customer/Anti-Money Laundering, SEC Rule 17a-4/ NASD Rule 3010/3110, ITIL, Stability II, Data Protection Act, EU Directive 95/46, Gramm-Leach-Bliley Act, COSO and many others. IT is impacted by these requirements as IT drives the business process and manages the information that such governance seeks to control. IT is at the core of most complex businesses. IT is required to manage itself more effectively and reliably in order respond to these requirements. There are two aspects to IT controls: 1. IT must implement internal controls around how it operates 2. The systems IT delivers to the business and the underlying business processes these systems actualise must be controlled – these are controls external to IT COBIT aims to be different from these other governance approaches in two ways: 1. It is an IT governance framework and supporting set of tools that IT can use to bridge the gap between control requirements, technical issues and business risks. 2. It provides a detailed implementation structure and toolset that translates the framework theory into a practical and achievable deliverables.
Page 1 of 12
Implementing COBIT for Effective IT Compliance
Like all governance standards and methodologies, their implementation can be long and painful. Implementation of and adherence to these compliance standards can seem to represent wasted effort as it does not add value to the business. COBIT removes at least some of the pain and reducing the execution time by going some way towards translating general principles to realisable specifics. Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly. The framework can be customised to suit the requirements of the organisation. COBIT has a broad coverage and a business focus. It seeks to ensure that IT delivers what the business needs. COBIT focuses on the “what” rather than on the “how”. It is a control and management framework, linking IT practices to business requirements. COBIT is based on the principle that to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to manage and control IT resources using a structured set of processes to deliver the required information services. The implementation of COBIT seeks to deliver real benefits: • • • • • •
Better IT to business alignment built on a business focus Management view of what IT does Clear ownership and responsibilities, based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders, based on a common language Fulfilment of the governance requirements for the IT control environment
The remainder of this article refers to COBIT V4.0, the latest version.
Page 2 of 12
Implementing COBIT for Effective IT Compliance
Figure 1 - Underlying COBIT Principle
2. COBIT 2.1 COBIT Structure Schematically, the structure of the components of COBIT and their relationship is represented as:
Figure 2 - COBIT Components and Relationships
Page 3 of 12
Implementing COBIT for Effective IT Compliance
COBIT provides a framework and an associated toolset that allow IT implement controls and address technical issues and business risks and communicate that level of control to IT business stakeholders. By providing a toolset COBIT enables the development of policy and practice for IT control throughout the enterprise. COBIT is integrated with other standards and thus can become an umbrella framework for IT governance. It assists in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its businessoriented approach provides an end-to-end view of IT.
2.2 COBIT Domain and Process Structure The COBIT process model of four domains contains (currently) 34 template processes that manage the IT resources to deliver information to the business according to business and governance requirements. Each of the processes contains a set of objectives.
Figure 3 - COBIT Hierarchy When implemented, the processes can be regarded as an engine to deliver information and fulfil objectives.
Page 4 of 12
Implementing COBIT for Effective IT Compliance
Figure 4 - COBIT Process Domains and The Delivery of Information to Meet Objectives The four COBIT domains and their constituent template processes are: Plan and Organise (PO) PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine technological direction PO4 Define the IT processes, organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage IT human resources PO8 Manage quality
Acquire and Implement (AI) AI1 Identify automated solutions AI2 Acquire and maintain application software AI3 Acquire and maintain technology infrastructure AI4 Enable operation and use
Deliver and Support (DS) DS1 Define and manage service levels DS2 Manage thirdparty services
Monitor and Evaluate (ME) ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control
DS3 Manage performance and capacity
ME3 Ensure regulatory compliance
DS4 Ensure continuous service
ME4 Provide IT governance
AI5 Procure IT resources AI6 Manage changes
DS5 Ensure systems security DS6 Identify and allocate costs
AI7 Install and accredit solutions and changes
DS7 Educate and train users DS8 Manage service desk and incidents
Page 5 of 12
Implementing COBIT for Effective IT Compliance
PO9 Assess and manage IT risks PO10 Manage projects
DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS13 Manage operations Table 1 - COBIT Processes and Detailed Controls
The implementation of these COBIT processes within the toolset is divided into four parts: 1. High-level control objective – this is a process summary identifying business requirement being satisfied, focus, achievement and measurement principles 2. Detailed process-specific control objectives 3. Process inputs and outputs, responsibilities, goals and metrics. 4. Process maturity model Each of these processes consists of a number of specific control objectives. For example, the process PO1 Define a strategic IT plan consists of the following control objectives: • • • • • •
PO1.1 PO1.2 PO1.3 PO1.4 PO1.5 PO1.6
IT Value Management Business-IT Alignment Assessment of Current Performance IT Strategic Plan IT Tactical Plans IT Portfolio Management
In all there are currently 215 specific detailed control objectives across the 34 processes. Again it is COBIT’s execution-oriented template approach and structure makes it useful and implementable.
2.3 Information Measurement Criteria COBIT defines seven criteria measure how the information delivered by the 34 processes meets business objectives.
Effectiveness Efficiency Confidentiality
Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Concerned with the provision of the information through the optimal use of resources Concerned with the protection of sensitive information from
Page 6 of 12
Implementing COBIT for Effective IT Compliance
Integrity Availability Compliance Reliability
unauthorized disclosure Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Relates to the information being available when required by the business process now and in the future Deals with complying with laws, regulations and contractual arrangements Relates to the provision of appropriate information for the workforce of the organization Table 2 - COBIT Information Measurement Criteria
2.4 Process Goals and Metrics Each process has three sets of goals measured by corresponding sets of metrics: Goal Activity Goals Process Goals IT Goals
Metric Key Performance Indicators Process Key Goal Indicators IT Key Goal Indicators Table 3 - Process Goals and Metrics
For example, the goals and metrics for the process PO1 Define a strategic IT plan are:
•
• •
•
Activity Goals Engaging with business and senior management in aligning IT strategic planning with current and future business needs Understanding current IT capabilities Translating IT strategic planning into tactical plans Providing for a prioritisation scheme for the business objectives that quantifies the business requirements
Key Performance
•
•
•
•
•
Process Goals IT Goals • Respond to business Define how business requirements in requirements are alignment with the translated in service business strategy. offerings. Define the strategy to • Respond to governance requirements in line deliver service with board direction. offerings. Contribute to the management of the portfolio of IT-enabled business investments. Establish clarity of business impact of risks to IT objectives and resources. Provide transparency and understanding of IT costs, benefits, strategy, policies and service levels. Process Key Goal IT Key Goal Indicators
Page 7 of 12
Implementing COBIT for Effective IT Compliance
•
•
•
• •
•
Indicators Delay between updates • of business strategic/tactical plan and updates of IT strategic/tactical plan • % of strategic/tactical IT plan meetings where business representatives have • actively participated Delay between updates of IT strategic plan and updates of IT tactical plans % of tactical IT plans complying with the Predefined structure/contents of those plans % of IT initiatives/projects championed by business owners
Indicators % of IT objectives in • the IT strategic plan that support the strategic business plan • % of IT initiatives in the IT tactical plan that support the tactical business plan % of IT projects in the • IT project portfolio that can be directly traced back to the IT tactical plan
Degree of approval of business owners of the IT strategic/tactical plans Degree of compliance with business and governance requirements Level of satisfaction of the business with the current state (number, scope, etc.) of the project and applications portfolio
Table 4 - Detailed goals and metrics for sample process PO1 Define a strategic IT plan
2.5 Generic Process Controls In addition to the process-specific control objectives, COBIT includes a set of generic process controls that are applied to all processes: Control PC1 Process Owner PC2 Repeatability PC3 Goals and Objectives PC4 Roles and Responsibilities PC5 Process Performance PC6 Policy, Plans and Procedures
Description Assign an owner for each COBIT process such that responsibility is clear. Define each COBIT process such that it is repeatable. Establish clear goals and objectives for each COBIT process for effective execution. Define unambiguous roles, activities and responsibilities for each COBIT process for efficient execution. Measure the performance of each COBIT process against its goals. Document, review, keep up to date, sign off on and communicate to all involved parties any policy, plan or procedure that drives a COBIT process.
Page 8 of 12
Implementing COBIT for Effective IT Compliance
Table 5 - COBIT Generic Detailed Process Controls
2.6 Generic Application Controls As with the generic process controls described above, COBIT includes a set of generic application controls that are applied to all processes: Application Control Group Application Control Details AC1 Data Preparation Procedures AC2 Source Document Authorisation Procedures Data Origination/Authorisation AC3 Source Document Data Collection AC4 Source Document Error Handling Controls AC5 Source Document Retention AC6 Data Input Authorisation Procedures Data Input Controls AC7 Accuracy, Completeness and Authorisation Checks AC8 Data Input Error Handling AC9 Data Processing Integrity Data Processing Controls AC10 Data Processing Validation and Editing AC11 Data Processing Error Handling AC12 Output Handling and Retention AC13 Output Distribution Data Output Controls AC14 Output Balancing and Reconciliation AC15 Output Review and Error Handling AC16 Security Provision for Output Reports AC17 Authenticity and Integrity Boundary Controls AC18 Protection of Sensitive Information During Transmission and Transport Table 6 - COBIT Detailed Application Controls
2.7 Process Maturity Model The implementation of each process is measured on a maturity scale from 0 meaning non-existent to 5 denoting optimised:
Page 9 of 12
Implementing COBIT for Effective IT Compliance
Figure 5 - Process Maturity Measurement There is a separate specific maturity model for each of COBIT’s 34 IT processes. The organisation can evaluate its maturity in its management and control over IT processes. The maturity scale of 0-5 and associated score is not intended to be precise. The objective is to identify where issues are and to set priorities for improvements. Using this, management can identify the current performance of the enterprise and the enterprise’s target for improvement.
3. COBIT and Other Governance Frameworks Implementing COBIT will assist in compliance with other major standards such as COSO and Sarbanes-Oxley:
Figure 6 - COBIT, COSO and SOX Because COBIT contains a detailed implementation toolset, it can be used to provide a framework for implementing other standards. Implementing COBIT can subsume compliance with many other standards. The following maps other standards to COBIT in terms of: •
Level of Detail - How detailed are the guidelines in terms of technical or operational depth.
Page 10 of 12
Implementing COBIT for Effective IT Compliance
•
Completeness - How much of COBIT is addressed with the standard, what is more comprehensively addressed than in COBIT and what is absent compared to COBIT
Figure 7 - Comparison of COBIT and Other Standards
4. Links These are some links relating to COBIT where you can find more information. Link http://www.isaca.org/
Description Information Systems Audit and Control Association – co-owner of COBIT http://www.isaca.org/cobit COBIT Home http://cobitcampus.isaca.org COBIT Education http://www.itgi.org/ IT Governance Institute – co-owner of COBIT http://www.coso.org/ Committee of Sponsoring Organizations of the Treadway Commission http://it.safemode.org/ COBIT open initiative http://www.soxSOX COSO and COBIT Centre online.com/coso_cobit.html http://www.ogc.gov.uk/index IT Infrastructure Library home .asp?id=2261
Page 11 of 12
Implementing COBIT for Effective IT Compliance
http://www.controlit.org/
Support Group for COBIT Users containing COBIT forums and information
Table 7 - Web Links for More Information
Page 12 of 12