العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
EspañolCOBIT
The 'Control Objectives for Information and related Technology' ('COBIT') is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
COBIT has 34 high level processes that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.
COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT’s defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.
Recently, ISACA has released Val IT, which correlates the COBIT processes to senior management processes required to get good value from IT investments.
The first edition of COBIT was published in 1996. The second edition, in 1998, added Management Guidelines. The third edition was released in 2000 (the on-line edition became available in 2003); and the fourth edition was released in December 2005.
COBIT Version 4 has significant advantages over COBIT 3 by consolidating most of the separate books into a single volume for ease of use. New subsections for each process include:
★ Cross-references of inputs and outputs to/from other COBIT processes (which can help rationalize finger-pointing)
★ Activities for each process, with the RACI diagram for each activity (showing what the CFO, CEO, IT Service Manager, Development Manager, etc should do or be involved in)
COBIT Version 4.1 is now available from ISACA web site. The major changes are:
★ Maturity Model support
★ Simplification of Goals descriptions
★ Cascading of the processes and (bidirectional) relations between the Business, the IT Goals and the IT Processes.
'Be aware: The summary below is aligned to COBIT version 4.0, which provides major changes compared to the former COBIT Version 3.2.'
The complete COBIT package is a set consisting of six publications:
★ Executive Summary
★ Framework
★ Control Objectives
★ Audit Guidelines
★ Implementation Tool Set
★ Management Guidelines
A brief overview of each of the above components is provided below.
Sound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT's four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, Monitoring) and 34 IT processes
A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, information and infrastructure) are important for the IT processes to fully support the business process.
The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 214 specific, detailed control objectives throughout the 34 IT processes.
To achieve your desired goals and objectives you must constantly and consistently audit your procedures. Audit Guidelines outline and suggest actual activities to be performed corresponding to each of the 34 high-level IT control objectives, while substantiating the risk of control objectives not being met. Audit Guidelines are an invaluable tool for information systems auditors in providing management assurance and/or advice for improvement.
An Implementation Tool Set, which contains Management Awareness and IT Control Diagnostics, and Implementation Guide, FAQs, case studies from organizations currently using COBIT, and slide presentations that can be used to introduce COBIT into organizations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organizations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well performed? Who does it and who is accountable? Are the processes and control formalized?
To ensure a successful enterprise, you must effectively manage the union between business processes and information systems. The new Management Guidelines are composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.
COBIT covers four domains:
★ Plan and Organize
★ Acquire and Implement
★ Deliver and Support
★ Monitor and Evaluate
The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.
'HIGH LEVEL CONTROL OBJECTIVES'
'Plan and Organize'
The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.
'HIGH LEVEL CONTROL OBJECTIVES'
'Acquire and Implement'
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.
'HIGH LEVEL CONTROL OBJECTIVES'
'Deliver and Support'
The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.
'HIGH LEVEL CONTROL OBJECTIVES'
'Monitor and Evaluate'
COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 17799:2005 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area while ISO/IEC 17799 is deeply focused in the area of security.
The table below describes the inter-relation of the two standards as well as how ISO/IEC 17799 can be integrated with COBIT.
(+) Good match (more than two ISO/IEC 17799:2005 objectives were mapped to a COBIT process)
(0) Partly match (one or two ISO/IEC 17799:2005 objectives were mapped to a COBIT process)
(-) No or minor match (no ISO/IEC 17799:2005 objective was mapped to a COBIT process)
(.) Does not exist
Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) "Internal Control - Integrated Framework." In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.
COSO Internal Control - Integrated Framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains.
For more international standards, see ISACA CobiT Mappings. COBIT is also addressed by the Information Security Forum in its Standard of Good Practice and other documents.
COBIT is addressed in the Holistic Operational Readiness Security Evaluation (HORSE) project Wiki, see HORSE
★ COBIT Wiki Dedicated wiki
★ ISACA Custodians of COBIT
★ COBIT User Forum The main COBIT User Group
★ Two Views of Internal Controls: COBIT and the ITCG
★ CobiTCampus CobiT education provided by ISACA
----
★ Information Technology Infrastructure Library
★ Health Insurance Portability and Accountability Act
★ Information Quality Management
★ IT Governance
★ The Standard of Good Practice
★ Information Security Management System
★ Val IT - Value from IT Investments
Overview
COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
COBIT has 34 high level processes that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.
COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT’s defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.
Recently, ISACA has released Val IT, which correlates the COBIT processes to senior management processes required to get good value from IT investments.
Release history
The first edition of COBIT was published in 1996. The second edition, in 1998, added Management Guidelines. The third edition was released in 2000 (the on-line edition became available in 2003); and the fourth edition was released in December 2005.
COBIT Version 4 has significant advantages over COBIT 3 by consolidating most of the separate books into a single volume for ease of use. New subsections for each process include:
★ Cross-references of inputs and outputs to/from other COBIT processes (which can help rationalize finger-pointing)
★ Activities for each process, with the RACI diagram for each activity (showing what the CFO, CEO, IT Service Manager, Development Manager, etc should do or be involved in)
COBIT Version 4.1 is now available from ISACA web site. The major changes are:
★ Maturity Model support
★ Simplification of Goals descriptions
★ Cascading of the processes and (bidirectional) relations between the Business, the IT Goals and the IT Processes.
'Be aware: The summary below is aligned to COBIT version 4.0, which provides major changes compared to the former COBIT Version 3.2.'
COBIT product family
The complete COBIT package is a set consisting of six publications:
★ Executive Summary
★ Framework
★ Control Objectives
★ Audit Guidelines
★ Implementation Tool Set
★ Management Guidelines
A brief overview of each of the above components is provided below.
'''Executive Summary'''
Sound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT's four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, Monitoring) and 34 IT processes
'''Framework'''
A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, information and infrastructure) are important for the IT processes to fully support the business process.
'''Control Objectives'''
The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 214 specific, detailed control objectives throughout the 34 IT processes.
'''Audit Guidelines'''
To achieve your desired goals and objectives you must constantly and consistently audit your procedures. Audit Guidelines outline and suggest actual activities to be performed corresponding to each of the 34 high-level IT control objectives, while substantiating the risk of control objectives not being met. Audit Guidelines are an invaluable tool for information systems auditors in providing management assurance and/or advice for improvement.
'''Implementation Tool Set'''
An Implementation Tool Set, which contains Management Awareness and IT Control Diagnostics, and Implementation Guide, FAQs, case studies from organizations currently using COBIT, and slide presentations that can be used to introduce COBIT into organizations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organizations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well performed? Who does it and who is accountable? Are the processes and control formalized?
'''Management Guidelines'''
To ensure a successful enterprise, you must effectively manage the union between business processes and information systems. The new Management Guidelines are composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.
COBIT structure
COBIT covers four domains:
★ Plan and Organize
★ Acquire and Implement
★ Deliver and Support
★ Monitor and Evaluate
'''Plan and Organization'''
The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.
| 'PO1' | 'Define a Strategic IT Plan and direction' |
| 'PO2' | 'Define the Information Architecture' |
| 'PO3' | 'Determine Technological Direction' |
| 'PO4' | 'Define the IT Processes, Organization and Relationships' |
| 'PO5' | 'Manage the IT Investment' |
| 'PO6' | 'Communicate Management Aims and Direction' |
| 'PO7' | 'Manage IT Human Resources' |
| 'PO8' | 'Ensure Compliance with External Requirements' |
| 'PO9' | 'Assess and Manage IT Risks' |
| 'PO10' | 'Manage Projects' |
| 'PO11' | 'Manage Quality' |
'''Acquire and Implement'''
The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.
| 'AI1' | 'Identify Automated Solutions' |
| 'AI2' | 'Acquire and Maintain Application Software' |
| 'AI3' | 'Acquire and Maintain Technology Infrastructure' |
| 'AI4' | 'Enable Operation and Use' |
| 'AI5' | 'Procure IT Resources' |
| 'AI6' | 'Manage Changes' |
| 'AI7' | 'Install and Accredit Solutions and Changes' |
'''Delivery and Support'''
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.
| 'DS1' | 'Define and Manage Service Levels' |
| 'DS2' | 'Manage Third-party Services' |
| 'DS3' | 'Manage Performance and Capacity' |
| 'DS4' | 'Ensure Continuous Service' |
| 'DS5' | 'Ensure Systems Security' |
| 'DS6' | 'Identify and Allocate Costs' |
| 'DS7' | 'Educate and Train Users' |
| 'DS8' | 'Manage Service Desk and Incidents' |
| 'DS9' | ' Manage the Configuration' |
| 'DS10' | 'Manage Problems' |
| 'DS11' | 'Manage Data' |
| 'DS12' | 'Manage the Physical Environment' |
| 'DS13' | 'Manage Operations' |
'''Monitor and Evaluate'''
The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.
| 'ME1' | 'Monitor and Evaluate IT Processes' |
| 'ME2' | 'Monitor and Evaluate Internal Control' |
| 'ME3' | 'Ensure Regulatory Compliance' |
| 'ME4' | 'Provide IT Governance' |
COBIT and other standards
COBIT and ISO/IEC 17799:2005
COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 17799:2005 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area while ISO/IEC 17799 is deeply focused in the area of security.
The table below describes the inter-relation of the two standards as well as how ISO/IEC 17799 can be integrated with COBIT.
| 'COBIT DOMAIN' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' | '10' | '11' | '12' | '13' |
| 'Plan and Organize' | - | + | - | - | + | + | + | + | - | - | 0 | . | . |
| 'Acquire and Implement' | + | 0 | 0 | - | 0 | + | . | . | . | . | . | . | . |
| 'Deliver and Support' | - | + | 0 | + | + | . | + | 0 | 0 | 0 | + | 0 | 0 |
| 'Monitor and Evaluate' | - | 0 | - | 0 | . | . | . | . | . | . | . | . | . |
COBIT and Sarbanes Oxley
Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) "Internal Control - Integrated Framework." In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.
COSO Internal Control - Integrated Framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT is specifically focused on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains.
COBIT and other international standards
For more international standards, see ISACA CobiT Mappings. COBIT is also addressed by the Information Security Forum in its Standard of Good Practice and other documents.
COBIT is addressed in the Holistic Operational Readiness Security Evaluation (HORSE) project Wiki, see HORSE
References
★ COBIT Wiki Dedicated wiki
★ ISACA Custodians of COBIT
★ COBIT User Forum The main COBIT User Group
★ Two Views of Internal Controls: COBIT and the ITCG
★ CobiTCampus CobiT education provided by ISACA
----
See also
★ Information Technology Infrastructure Library
★ Health Insurance Portability and Accountability Act
★ Information Quality Management
★ IT Governance
★ The Standard of Good Practice
★ Information Security Management System
★ Val IT - Value from IT Investments
This article provided by Wikipedia. To edit the contents of this article, click here for original source.
psst.. try this: add to faves
