Escolar Documentos
Profissional Documentos
Cultura Documentos
Contents
2. COBIT ............................................................................................................. 3
2.1 COBIT STRUCTURE ........................................................................................... 3
2.2 COBIT DOMAIN AND PROCESS STRUCTURE ............................................................... 4
2.3 INFORMATION MEASUREMENT CRITERIA ................................................................... 6
2.4 PROCESS GOALS AND METRICS ............................................................................. 7
2.5 GENERIC PROCESS CONTROLS............................................................................... 8
2.6 GENERIC APPLICATION CONTROLS .......................................................................... 9
2.7 PROCESS MATURITY MODEL ................................................................................. 9
3. COBIT AND OTHER GOVERNANCE FRAMEWORKS .......................................... 10
4. LINKS ........................................................................................................... 11
1. Introduction to COBIT
This article is intended to be a brief introduction to the Control Objectives for
Information and related Technology (COBIT). COBIT is a substantial topic. The
links at the end of this article will provide a starting point for more information.
Page 1 of 12
Implementing COBIT for Effective IT Compliance
COBIT has a broad coverage and a business focus. It seeks to ensure that IT
delivers what the business needs. COBIT focuses on the “what” rather than on
the “how”. It is a control and management framework, linking IT practices to
business requirements.
COBIT is based on the principle that to provide the information that the
enterprise requires to achieve its objectives, the enterprise needs to manage and
control IT resources using a structured set of processes to deliver the required
information services.
The remainder of this article refers to COBIT V4.0, the latest version.
Page 2 of 12
Implementing COBIT for Effective IT Compliance
2. COBIT
Page 3 of 12
Implementing COBIT for Effective IT Compliance
COBIT is integrated with other standards and thus can become an umbrella
framework for IT governance. It assists in understanding and managing the risks
and benefits associated with IT. The process structure of COBIT and its business-
oriented approach provides an end-to-end view of IT.
Page 4 of 12
Implementing COBIT for Effective IT Compliance
The four COBIT domains and their constituent template processes are:
Page 5 of 12
Implementing COBIT for Effective IT Compliance
The implementation of these COBIT processes within the toolset is divided into
four parts:
In all there are currently 215 specific detailed control objectives across the 34
processes.
COBIT defines seven criteria measure how the information delivered by the 34
processes meets business objectives.
Page 6 of 12
Implementing COBIT for Effective IT Compliance
unauthorized disclosure
Relates to the accuracy and completeness of information as
Integrity well as to its validity in accordance with business values and
expectations
Relates to the information being available when required by
Availability
the business process now and in the future
Deals with complying with laws, regulations and contractual
Compliance
arrangements
Relates to the provision of appropriate information for the
Reliability
workforce of the organization
Table 2 - COBIT Information Measurement Criteria
Each process has three sets of goals measured by corresponding sets of metrics:
Goal Metric
Activity Goals Key Performance Indicators
Process Goals Process Key Goal Indicators
IT Goals IT Key Goal Indicators
Table 3 - Process Goals and Metrics
For example, the goals and metrics for the process PO1 Define a strategic IT
plan are:
Page 7 of 12
Implementing COBIT for Effective IT Compliance
Indicators Indicators
• Delay between updates • % of IT objectives in • Degree of approval of
of business the IT strategic plan business owners of the
strategic/tactical plan that support the IT strategic/tactical
and updates of IT strategic business plan plans
strategic/tactical plan • % of IT initiatives in • Degree of compliance
• % of strategic/tactical the IT tactical plan that with business and
IT plan meetings where support the tactical governance
business business plan requirements
representatives have • % of IT projects in the • Level of satisfaction of
actively participated IT project portfolio that the business with the
• Delay between updates can be directly traced current state (number,
of IT strategic plan and back to the IT tactical scope, etc.) of the
updates of IT tactical plan project and applications
plans portfolio
• % of tactical IT plans
complying with the
• Predefined
structure/contents of
those plans
• % of IT
initiatives/projects
championed by
business owners
Table 4 - Detailed goals and metrics for sample process PO1 Define a strategic
IT plan
Control Description
PC1 Process Owner Assign an owner for each COBIT process such
that responsibility is clear.
PC2 Repeatability Define each COBIT process such that it is
repeatable.
PC3 Goals and Objectives Establish clear goals and objectives for each
COBIT process for effective execution.
PC4 Roles and Define unambiguous roles, activities and
Responsibilities responsibilities for each COBIT process for
efficient execution.
PC5 Process Performance Measure the performance of each COBIT process
against its goals.
PC6 Policy, Plans and Document, review, keep up to date, sign off on
Procedures and communicate to all involved parties any
policy, plan or procedure that drives a COBIT
process.
Page 8 of 12
Implementing COBIT for Effective IT Compliance
As with the generic process controls described above, COBIT includes a set of
generic application controls that are applied to all processes:
Page 9 of 12
Implementing COBIT for Effective IT Compliance
The organisation can evaluate its maturity in its management and control over IT
processes. The maturity scale of 0-5 and associated score is not intended to be
precise. The objective is to identify where issues are and to set priorities for
improvements.
Using this, management can identify the current performance of the enterprise
and the enterprise’s target for improvement.
Page 10 of 12
Implementing COBIT for Effective IT Compliance
4. Links
These are some links relating to COBIT where you can find more information.
Link Description
http://www.isaca.org/ Information Systems Audit and Control
Association – co-owner of COBIT
http://www.isaca.org/cobit COBIT Home
http://cobitcampus.isaca.org COBIT Education
http://www.itgi.org/ IT Governance Institute – co-owner of COBIT
http://www.coso.org/ Committee of Sponsoring Organizations of the
Treadway Commission
http://it.safemode.org/ COBIT open initiative
http://www.sox- SOX COSO and COBIT Centre
online.com/coso_cobit.html
http://www.ogc.gov.uk/index IT Infrastructure Library home
.asp?id=2261
Page 11 of 12
Implementing COBIT for Effective IT Compliance
Page 12 of 12