The COBIT source for best practices
COBIT is a set of standards for security best-practices
standards that enterprises can follow. Here's how it can impact your organization.
by Avinash Kadam
Control Objective for Information and
related Technology (COBIT) has been developed and promoted by the IT Governance
Institute, which is part of the Information Systems Audit and Control Association
(ISACA). COBIT has been promoted as a standard for control over IT.
How do we get IT under control so that
it delivers the information an organization needs? COBIT is expected to help
us in achieving this by breaking the problem into smaller parts. The COBIT framework
divides the entire spectrum of IT management into 34 IT processes. How do we
know if these IT processes are managed well? The COBIT framework has defined
318 control objectives and audit guidelines to make this job easy.
Controls and control objectives
Before we go any further, let us understand the terms controls
and control objectives. Controls are defined by COBIT as the
policies, procedures, practices, and organizational structures designed to provide
reasonable assurance that business objectives will be achieved, and that undesired
events will be prevented or detected and corrected.
So an e-mail policy, a virus detection
procedure, a password selection practice, and a security committee, are examples
of controls since these prevent, detect and correct undesired events.
Next is the definition of Control Objective
which states that 'IT control objective is defined as a statement of the desired
result or purpose to be achieved by implementing control procedures in a particular
So an IT control objective could be
'ensure continuous service' which can be met by implementing a number of control
procedures like writing continuity plans, continuity plan training, continuity
plan testing, back-up site and so on.
COBIT has defined various IT resources,
which need to be managed. These are data, applications systems, technology,
facilities and people. COBIT's focus is to ensure that these resources are well
utilized for achieving the business objectives.
For management of these resources,
COBIT has defined three criteria, which should be met. These are quality requirements,
fiduciary requirements, and security requirements. These three requirements
are further broken down into seven desirable qualities. These are effectiveness,
efficiency, confidentiality, integrity, availability, compliance and reliability
The COBIT framework has made a three
level structure. The top level consists of four domains, which are:
1. Planning and Organization
2. Acquisition and Implementation
3. Delivery and Support
If it looks similar to a PDCA (Plan-Do-Check-Act)
cycle, it is not a coincidence. COBIT has expanded the PDCA definition to fit
the IT activities. The next layer consists of 34 IT processes. And the last
layer consists of the detailed tasks to carry out these IT processes.
There are 318 distinct tasks. The 34
IT processes are presented as the 34 high-level control objectives and 318 tasks
are worded as 318 detailed level control objectives. Depending on who is looking
at it, an IT manager could look up to the IT processes and tasks as the best
practices, which could be adapted by carrying out the tasks under the process.
The IS auditor could use COBIT to check
if the IT tasks were indeed carried out to meet the control objectives set under
each of the tasks and did this achieve the high-level control objective set
for the IT process. The last part is the audit guidelines. Again the name should
not put off the IT managers. The audit guidelines provide an excellent checklist
for high-level as well as detailed control objectives.
An auditor would use it for auditing
the IT processes. An IT manager could use it as guidance for properly carrying
out the IT process. It becomes a very handy tool to check the completeness of
your approach and methodology.
Let us now take a deeper look into
Planning and Organization
Planning is all about preparing today
to meet the demands of tomorrow. A strategic IT plan has to be defined which
meets the enterprise business strategy. The IT plan then needs to be converted
into information architecture design, which will again depend on the technological
The plans need to be executed by an
appropriate organization structure. The execution requires managing investments,
assessing and managing risks, communication, project management, quality management,
human resource management, and compliance with external requirements. To cover
all these activities, the domain consists of the following IT processes:
- Define a Strategic IT Plan
- Define the Information Architecture
- Determine Technological Direction
- Define the IT Organization and Relationships
- Manage the IT Investment
- Communicate Management Aims and Direction
- Manage Human Resources
- Ensure Compliance with External Requirements
- Assess Risks
- Manage Projects
- Manage Quality
The above 11 IT processes are further elaborated in individual
tasks. For example, one of the processes is pertaining to 'Assess Risk.
This is broken down into following eight detailed control objectives:
1. Business Risk Assessment
2. Risk Assessment Approach
3. Risk Identification
4. Risk Measurement
5. Risk Action Plan
6. Risk Acceptance
7. Safeguard Selection
8. Risk Assessment Commitment
Reading through these detailed control objectives and associated
audit guidelines clarifies what is expected from the high-level control objective
of 'Assess Risk'.
Acquisition and Implementation
After the 'Plan' phase, we go to the
'Do' phase. Identifying and acquiring or developing solutions is needed to execute
the plans. The solutions may consist of application software or technology infrastructure
along with various operating procedures, user procedures and training manuals.
After successfully acquiring the solution, it needs to be implemented, maintained,
tested, accredited, and any changes need to be managed to ensure continued availability.
All these practical issues are dealt
in this domain by means of the following processes. As mentioned earlier, each
process is supported by a detailed list of tasks to be performed.
- Identify Automated Solutions
- Acquire and Maintain Application Software
- Acquire and Maintain Technology Infrastructure
- Develop and Maintain Procedures
- Install and Accredit Systems
- Manage Changes
Delivery and Support
This is second part of the 'Do' phase,
where we are concerned about getting the things operational and provide efficient
and cost-effective services to meet the business objectives. This is probably
the longest phase of the system lifecycle.
We need to ensure that the system continues
to perform at the desired level. To accomplish this, we define and manage the
service levels, third-parties providing the services, ensure that the performance
or capacity of the resources do not become a bottleneck.
During this phase we are also concerned
about availability of continuous, uninterrupted service, even in the face of
disasters. So we have to ensure that appropriate business continuity plans are
documented and tested, and people are trained to execute them.
We are also concerned about system
security, which is a major concern today. An entire standard like ISO 17799
is devoted to this topic alone. COBIT covers all the security aspects quite
well but these are spread all over the standard.
The next part is the day-to-day management
aspect of IT like managing problems, incidents, data, configurations, facilities
and operations, training the users, and assisting customers. While doing all
this, we have also to manage the costs.
All these activities are defined in
the following 13 processes, supported by detailed tasks.
1. Define and Manage Service Levels
2. Manage Third-Party Services
3. Manage Performance and Capacity
4. Ensure Continuous Service
5. Ensure Systems Security
6. Identify and Allocate Costs
7. Educate and Train Users
8. Assist and Advise Customers
9. Manage the Configuration
10.Manage Problems and Incidents
11. Manage Data
12. Manage Facilities
13. Manage Operations
The last domain of COBIT pertains to the 'Check' part.
The 'Act' part or taking corrective action is implemented by redoing the entire
cycle starting from planning, If this phase identifies some weakness in the
process. Monitoring all the processes by creating management information system
reports, does this. It could be further supported by exception reports, checking
key performance indicators or critical success factors and assessing customer
certification. Monitoring the internal controls, doing an independent audit
of the processes provides independent assessment.
Following are the monitoring processes. If the IT head
does not want to be caught on the wrong side, he/she may as well implement these
processes as a proactive measure and assure the management about the dependability
of IT to achieve business objectives.
- Monitor the Processes Assess Internal Control Adequacy Obtain Independent
- Provide for Independent Audit
COBIT does not have a certification
process. In place of a formal certification, COBIT has suggested a maturity
model for self-assessment. As we have seen earlier, each process of COBIT has
a high-level control statement and between 3 and 30 detailed control objectives.
The process owner should be able to determine the level of adherence to the
control objective either as self-assessment or independent review.
The scale used for the maturity model
is from 0 to 5.
0 Non-Existent - Management
processes are not applied at all.
1 Initial - Processes are ad
hoc and disorganized
2 Repeatable - Processes follow
a regular pattern
3 Defined - Processes are documented
4 Managed - Processes are monitored
5 Optimized - Best practices
are followed and automated
The maturity model is recommended to be used by conducting
the following mappings and comparisons:
- The current status of the organization - where the organization is today
- The current status of (best- in-class in) the industry - the comparison
- The current status of international standard guidelines - additional comparison
- The organization's strategy for improvement - where the organization wants
This comparison needs to be done for each of the 34 IT
The COBIT package includes the following. (You could buy
it from www.isaca.org)
- Executive Summary
- Implementation Tool Set
- Control Objectives
- Audit Guidelines
- Management Guidelines
- A CD-ROM and a floppy
Apart form the above documentation, which is extensive,
there are other publications to help you in implementation of COBIT.
COBIT has evolved over the years. It is currently in its
third edition which was published in 2000. COBIT Fourth Edition is now eagerly
Avinash Kadam is Director of MIEL e-Security, Pvt. Ltd.
He can be reached at firstname.lastname@example.org