“COBIT 4.0 enables continuous improvement in IT governance”

COBIT 4.0, the IT governance framework, is being increasingly used by CIOs to develop best practices for IT control. A Rafeq, President, Strategic Development and Alliances, Tally Solutions, talks to Kumar Dawada about COBIT 4.0’s approaches to regulatory compliance and how it helps align IT best practices with business processes.

What are the highlights of COBIT 4.0?

The latest version of Control Objectives for Information and related Technology (COBIT) focusses on regulatory compliance. It helps organisations in increasing the value attained from IT. COBIT 4.0, provides guidelines for streamlined and practical activities, and enables them achieve continuous improvement in IT governance.

COBIT 4.0 addresses the needs of auditors, regulators, security experts and others in in their job of providing assurance on the performance of IT under different circumstances. As more enterprises adopt specialised guidance such as ITIL and ISO 17799, COBIT can be used as the integrator, umbrella framework and practical guidance tool for overall IT control.

It targets three main audiences: management, IT and auditors. The benefits of implementing COBIT as a governance framework include better alignment based on business focus. It makes management understand IT better. There is clarity of ownership and responsibilities, based on process orientation.

How is the COBIT framework different from other frameworks/standards such as ITIL, ISO 9001, ISO 17799 and CMM?

COBIT is the overall framework for control and governance over IT. It is an integrator of many other global frameworks and based on many of them. COBIT works in tandem with those other frameworks. The IT Governance Institute (ITGI) intended COBIT to suit every organisation. However, there is also a need for detailed, standardised practitioner processes. Specific practices and standards, such as ITIL and ISO 17799 cover specific areas and can be mapped to the COBIT framework, and provide a hierarchy of guidance materials.

What verticals and organisations does COBIT target?

COBIT’s high-level, platform-neutral nature makes it suitable for any type of enterprise, regardless of size or industry. It can also be customised. Enterprises can use only those portions that apply to their environment and customise their selections to fill their needs. COBIT is not a “cookbook” that requires that the user start at the beginning and go through page by page, applying each piece of guidance, in a given order. It is a very flexible document. For instance, COBIT Quickstart is a stripped-down version for smaller enterprises, and COBIT Security Baseline focuses only on the security-specific material from COBIT.

The Reserve Bank of India has been using COBIT for providing guidelines on IT controls to Financial Institutions in India. Many IT companies such as Infosys, Wipro, Satyam, TCS, i-Flex Solutions and Tally Solutions use COBIT. Many banks in India are also using COBIT for designing IT policies and procedures, and for giving IT control guidelines.

How does COBIT meet regulatory requirements?

An entire publication addresses the use of COBIT in achieving compliance with the US Sarbanes-Oxley Act. It is titled IT Control Objectives for Sarbanes-Oxley, and is available for free download from the ITGI site, www.itgi.org. COBIT addresses the attainment of control over IT which includes reliability, confidentiality and availability of data. This is what most regulations are attempting to enforce. Therefore, COBIT is a useful tool for enterprises to use in any compliance effort.

Can you highlight the best practices laid down in COBIT for mitigating IT related risks, monitoring and improving critical IT activities as well as aligning IT with business?

There are more than 50 international best practices which have been considered and used in COBIT. COBIT Control Objectives ensure that all key risks for each of the processes are mitigated by appropriate controls. COBIT management guidelines outline key goal indicators and key performance indicators for each of the 34 IT processes.

COBIT shows the functional breakdown of the IT business (plan and organise, acquire and implement, deliver and support, and monitor and evaluate) and the processes required to successfully execute each function (34 processes in all). In essence, it describes the complete IT lifecycle from a management perspective. It not only describes processes in detail, but also outlines their control objectives and critical quality criteria. It provides a guideline for self-assessing your level of maturity in executing each process. These best practices help in not only ensuring IT related risks are mitigated but also how IT value delivery is successfully achieved.

How can COBIT align business and IT plans and operations?

COBIT has a fundamental orientation to business requirements. Research carried out by the University of Antwerp into how IT supports business objectives in different industry sectors provided a generic cross-reference of common business goals to IT goals. A table is provided showing the relationship among business goals, IT goals and COBIT’s IT processes to help users identify business-to-IT linkages in their own organisations. This was also used to improve the goal and performance metrics.

COBIT 4.0 provides RACI charts (who is responsible, accountable, consulted and informed) to address process roles and responsibilities for each IT process, and enterprise architecture principles are explained within the framework, linking goals, resources, information and processes. To improve understanding of the IT process model, COBIT 4.0 contains descriptions of each process together with process inputs and outputs with cross-references to other processes.

What trends will be seen in control frameworks in the near future?

There is a trend among the owners of various global frameworks to make them more compatible, so that they can all be used together, each addressing its own particular niche of expertise. With more frameworks involved, there can be increased complexity, so efforts will be made to make them easy to use. Implementing control over any aspect of IT should not be a complex or tedious job. Frameworks will look for ways to make the process more streamlined and adaptable in future.

Information Systems Audit and Control Association (ISACA) and ITGI believe that control frameworks have to keep evolving dynamically to meet the needs of business. ITGI has prepared a roadmap for continuous updating of all its guidelines and COBIT related products.

In current and later versions, the control practices will be modified to align with COBIT 4.0. The audit guidelines will be enhanced and replaced by a new IT assurance guides. COBIT online will provide templates to download to support these techniques. The COBIT implementation guide as well as all COBIT related components will be revised and updated.

kumard@networkmagazineindia.com