Implementing COBIT for Effective IT Compliance

Contents

1. INTRODUCTION TO COBIT .............................................................................. 1

2. COBIT ............................................................................................................. 3
2.1 COBIT STRUCTURE ........................................................................................... 3
2.2 COBIT DOMAIN AND PROCESS STRUCTURE ............................................................... 4
2.3 INFORMATION MEASUREMENT CRITERIA ................................................................... 6
2.4 PROCESS GOALS AND METRICS ............................................................................. 7
2.5 GENERIC PROCESS CONTROLS............................................................................... 8
2.6 GENERIC APPLICATION CONTROLS .......................................................................... 9
2.7 PROCESS MATURITY MODEL ................................................................................. 9
3. COBIT AND OTHER GOVERNANCE FRAMEWORKS .......................................... 10

4. LINKS ........................................................................................................... 11

1. Introduction to COBIT
This article is intended to be a brief introduction to the Control Objectives for
Information and related Technology (COBIT). COBIT is a substantial topic. The
links at the end of this article will provide a starting point for more information.

COBIT fits into the increasingly crowded landscape of corporate governance,

regulation and compliance rules and standards: Sarbanes-Oxley, BASEL II, ISO
17799/ BS 7799, Know Your Customer/Anti-Money Laundering, SEC Rule 17a-4/
NASD Rule 3010/3110, ITIL, Stability II, Data Protection Act, EU Directive 95/46,
Gramm-Leach-Bliley Act, COSO and many others.

IT is impacted by these requirements as IT drives the business process and

manages the information that such governance seeks to control. IT is at the core
of most complex businesses. IT is required to manage itself more effectively and
reliably in order respond to these requirements.

There are two aspects to IT controls:

1. IT must implement internal controls around how it operates

2. The systems IT delivers to the business and the underlying business
processes these systems actualise must be controlled – these are controls
external to IT

COBIT aims to be different from these other governance approaches in two

ways:

1. It is an IT governance framework and supporting set of tools that IT can use

to bridge the gap between control requirements, technical issues and business
risks.
2. It provides a detailed implementation structure and toolset that translates the
framework theory into a practical and achievable deliverables.

Page 1 of 12
 Implementing COBIT for Effective IT Compliance

Like all governance standards and methodologies, their implementation can be

long and painful. Implementation of and adherence to these compliance
standards can seem to represent wasted effort as it does not add value to the
business. COBIT removes at least some of the pain and reducing the execution
time by going some way towards translating general principles to realisable
specifics.

Because COBIT has a detailed implementation framework, the project to

implement it and the associated time and cost can be defined more exactly.

The framework can be customised to suit the requirements of the organisation.

COBIT has a broad coverage and a business focus. It seeks to ensure that IT
delivers what the business needs. COBIT focuses on the “what” rather than on
the “how”. It is a control and management framework, linking IT practices to
business requirements.

COBIT is based on the principle that to provide the information that the
enterprise requires to achieve its objectives, the enterprise needs to manage and
control IT resources using a structured set of processes to deliver the required
information services.

The implementation of COBIT seeks to deliver real benefits:

• Better IT to business alignment built on a business focus

• Management view of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common
language
• Fulfilment of the governance requirements for the IT control environment

The remainder of this article refers to COBIT V4.0, the latest version.

Page 2 of 12
 Implementing COBIT for Effective IT Compliance

Figure 1 - Underlying COBIT Principle

2. COBIT

2.1 COBIT Structure

Schematically, the structure of the components of COBIT and their relationship is

represented as:

Figure 2 - COBIT Components and Relationships

Page 3 of 12
 Implementing COBIT for Effective IT Compliance

COBIT provides a framework and an associated toolset that allow IT implement

controls and address technical issues and business risks and communicate that
level of control to IT business stakeholders. By providing a toolset COBIT enables
the development of policy and practice for IT control throughout the enterprise.

COBIT is integrated with other standards and thus can become an umbrella
framework for IT governance. It assists in understanding and managing the risks
and benefits associated with IT. The process structure of COBIT and its business-
oriented approach provides an end-to-end view of IT.

2.2 COBIT Domain and Process Structure

The COBIT process model of four domains contains (currently) 34 template

processes that manage the IT resources to deliver information to the business
according to business and governance requirements. Each of the processes
contains a set of objectives.

Figure 3 - COBIT Hierarchy

When implemented, the processes can be regarded as an engine to deliver

information and fulfil objectives.

Page 4 of 12
 Implementing COBIT for Effective IT Compliance

Figure 4 - COBIT Process Domains and The Delivery of Information to Meet

Objectives

The four COBIT domains and their constituent template processes are:

Plan and Acquire and Deliver and Monitor and

Organise (PO) Implement (AI) Support (DS) Evaluate (ME)
PO1 Define a AI1 Identify DS1 Define and ME1 Monitor and
strategic IT plan automated manage service evaluate IT
solutions levels performance
PO2 Define the AI2 Acquire and DS2 Manage third- ME2 Monitor and
information maintain party services evaluate internal
architecture application control
software
PO3 Determine AI3 Acquire and DS3 Manage ME3 Ensure
technological maintain performance and regulatory
direction technology capacity compliance
infrastructure
PO4 Define the IT AI4 Enable DS4 Ensure ME4 Provide IT
processes, operation and use continuous service governance
organisation and
relationships
PO5 Manage the IT AI5 Procure IT DS5 Ensure
investment resources systems security
PO6 Communicate AI6 Manage DS6 Identify and
management aims changes allocate costs
and direction
PO7 Manage IT AI7 Install and DS7 Educate and
human resources accredit solutions train users
and changes
PO8 Manage DS8 Manage
quality service desk and
incidents

Page 5 of 12
 Implementing COBIT for Effective IT Compliance

PO9 Assess and DS9 Manage the

manage IT risks configuration
PO10 Manage DS10 Manage
projects problems
DS11 Manage data
DS12 Manage the
physical
environment
DS13 Manage
operations
Table 1 - COBIT Processes and Detailed Controls

The implementation of these COBIT processes within the toolset is divided into
four parts:

1. High-level control objective – this is a process summary identifying business

requirement being satisfied, focus, achievement and measurement principles
2. Detailed process-specific control objectives
3. Process inputs and outputs, responsibilities, goals and metrics.
4. Process maturity model

Each of these processes consists of a number of specific control objectives. For

example, the process PO1 Define a strategic IT plan consists of the following
control objectives:

• PO1.1 IT Value Management

• PO1.2 Business-IT Alignment
• PO1.3 Assessment of Current Performance
• PO1.4 IT Strategic Plan
• PO1.5 IT Tactical Plans
• PO1.6 IT Portfolio Management

In all there are currently 215 specific detailed control objectives across the 34
processes.

Again it is COBIT’s execution-oriented template approach and structure makes it

useful and implementable.

2.3 Information Measurement Criteria

COBIT defines seven criteria measure how the information delivered by the 34
processes meets business objectives.

Deals with information being relevant and pertinent to the

Effectiveness business process as well as being delivered in a timely,
correct, consistent and usable manner
Concerned with the provision of the information through the
Efficiency
optimal use of resources
Confidentiality Concerned with the protection of sensitive information from

Page 6 of 12
 Implementing COBIT for Effective IT Compliance

unauthorized disclosure
Relates to the accuracy and completeness of information as
Integrity well as to its validity in accordance with business values and
expectations
Relates to the information being available when required by
Availability
the business process now and in the future
Deals with complying with laws, regulations and contractual
Compliance
arrangements
Relates to the provision of appropriate information for the
Reliability
workforce of the organization
Table 2 - COBIT Information Measurement Criteria

2.4 Process Goals and Metrics

Each process has three sets of goals measured by corresponding sets of metrics:

Goal Metric
Activity Goals Key Performance Indicators
Process Goals Process Key Goal Indicators
IT Goals IT Key Goal Indicators
Table 3 - Process Goals and Metrics

For example, the goals and metrics for the process PO1 Define a strategic IT
plan are:

Activity Goals Process Goals IT Goals

• Engaging with business • Define how business • Respond to business
and senior requirements are requirements in
management in translated in service alignment with the
aligning IT strategic offerings. business strategy.
planning with current • Define the strategy to • Respond to governance
and future business deliver service requirements in line
needs offerings. with board direction.
• Understanding current • Contribute to the
IT capabilities management of the
• Translating IT strategic portfolio of IT-enabled
planning into tactical business investments.
plans • Establish clarity of
• Providing for a business impact of risks
prioritisation scheme to IT objectives and
for the business resources.
objectives that • Provide transparency
quantifies the business and understanding of
requirements IT costs, benefits,
strategy, policies and
service levels.
Key Performance Process Key Goal IT Key Goal Indicators

Page 7 of 12
 Implementing COBIT for Effective IT Compliance

Indicators Indicators
• Delay between updates • % of IT objectives in • Degree of approval of
of business the IT strategic plan business owners of the
strategic/tactical plan that support the IT strategic/tactical
and updates of IT strategic business plan plans
strategic/tactical plan • % of IT initiatives in • Degree of compliance
• % of strategic/tactical the IT tactical plan that with business and
IT plan meetings where support the tactical governance
business business plan requirements
representatives have • % of IT projects in the • Level of satisfaction of
actively participated IT project portfolio that the business with the
• Delay between updates can be directly traced current state (number,
of IT strategic plan and back to the IT tactical scope, etc.) of the
updates of IT tactical plan project and applications
plans portfolio
• % of tactical IT plans
complying with the
• Predefined
structure/contents of
those plans
• % of IT
initiatives/projects
championed by
business owners
Table 4 - Detailed goals and metrics for sample process PO1 Define a strategic
IT plan

2.5 Generic Process Controls

In addition to the process-specific control objectives, COBIT includes a set of

generic process controls that are applied to all processes:

Control
PC1 Process Owner
PC2 Repeatability
PC3 Goals and Objectives
PC4 Roles and
Responsibilities
PC5 Process Performance
PC6 Policy, Plans and
Procedures
Description
Assign an owner for each COBIT process such
that responsibility is clear.
Define each COBIT process such that it is
repeatable.
Establish clear goals and objectives for each
COBIT process for effective execution.
Define unambiguous roles, activities and
responsibilities for each COBIT process for
efficient execution.
Measure the performance of each COBIT process
against its goals.
Document, review, keep up to date, sign off on
and communicate to all involved parties any
policy, plan or procedure that drives a COBIT
process.

Page 8 of 12
 Implementing COBIT for Effective IT Compliance

Table 5 - COBIT Generic Detailed Process Controls

2.6 Generic Application Controls

As with the generic process controls described above, COBIT includes a set of
generic application controls that are applied to all processes:

Application Control Group Application Control Details

AC1 Data Preparation Procedures
Data AC2 Source Document Authorisation Procedures
Origination/Authorisation AC3 Source Document Data Collection
Controls AC4 Source Document Error Handling
AC5 Source Document Retention
AC6 Data Input Authorisation Procedures
Data Input Controls AC7 Accuracy, Completeness and Authorisation
Checks
AC8 Data Input Error Handling
AC9 Data Processing Integrity
Data Processing Controls AC10 Data Processing Validation and Editing
AC11 Data Processing Error Handling
AC12 Output Handling and Retention
AC13 Output Distribution
Data Output Controls AC14 Output Balancing and Reconciliation
AC15 Output Review and Error Handling
AC16 Security Provision for Output Reports
AC17 Authenticity and Integrity
Boundary Controls AC18 Protection of Sensitive Information During
Transmission and Transport
Table 6 - COBIT Detailed Application Controls

2.7 Process Maturity Model

The implementation of each process is measured on a maturity scale from 0

meaning non-existent to 5 denoting optimised:

Page 9 of 12
 Implementing COBIT for Effective IT Compliance

Figure 5 - Process Maturity Measurement

There is a separate specific maturity model for each of COBIT’s 34 IT processes.

The organisation can evaluate its maturity in its management and control over IT
processes. The maturity scale of 0-5 and associated score is not intended to be
precise. The objective is to identify where issues are and to set priorities for
improvements.

Using this, management can identify the current performance of the enterprise
and the enterprise’s target for improvement.

3. COBIT and Other Governance Frameworks

Implementing COBIT will assist in compliance with other major standards such as
COSO and Sarbanes-Oxley:

Figure 6 - COBIT, COSO and SOX

Because COBIT contains a detailed implementation toolset, it can be used to

provide a framework for implementing other standards. Implementing COBIT can
subsume compliance with many other standards. The following maps other
standards to COBIT in terms of:

• Level of Detail - How detailed are the guidelines in terms of technical or

operational depth.

Page 10 of 12
 Implementing COBIT for Effective IT Compliance

• Completeness - How much of COBIT is addressed with the standard, what

is more comprehensively addressed than in COBIT and what is absent
compared to COBIT

Figure 7 - Comparison of COBIT and Other Standards

4. Links
These are some links relating to COBIT where you can find more information.

Link Description
http://www.isaca.org/ Information Systems Audit and Control
Association – co-owner of COBIT
http://www.isaca.org/cobit COBIT Home
http://cobitcampus.isaca.org COBIT Education
http://www.itgi.org/ IT Governance Institute – co-owner of COBIT
http://www.coso.org/ Committee of Sponsoring Organizations of the
Treadway Commission
http://it.safemode.org/ COBIT open initiative
http://www.sox- SOX COSO and COBIT Centre
online.com/coso_cobit.html
http://www.ogc.gov.uk/index IT Infrastructure Library home
.asp?id=2261

Page 11 of 12
 Implementing COBIT for Effective IT Compliance

http://www.controlit.org/ Support Group for COBIT Users containing COBIT

forums and information
Table 7 - Web Links for More Information

Page 12 of 12