Understanding: COBIT

1
UnderstandingCOBIT
2
Why and how is COBIT used?
COBIT as a response to the needs

• Incorporates major international standards
• Has become the de facto standard for overall
  control over IT
• Starts from business requirements
• Is process-oriented

CobiT
COBIT
CobiT
COBIT
best practices
best practices
repository for
repository for
IT Processes
IT Processes
IT Processes
IT Processes
IT Management Processes
IT Management Processes
IT Management Processes
IT Management Processes
IT Governance Processes
IT Governance Processes
IT Governance Processes
IT Governance Processes
3
COBIT Framework Definition
To provide the information that the organisation
needs to achieve its objectives, IT resources
need to be managed by a set of naturally grouped
processes.
A process orientation is a proven management
approach to efficiently exercise
responsibilities, achieve set goals and
reasonably manage risks.
WHY
4
Business Orientation and Process Focus

• In order to provide the information that the
  organisation needs to achieve its objectives, IT
  resources need to be managed by a set of
  naturally grouped processes.

Relates to business requirements (expressed as
information criteria) Links to business
processes Empowers business owners
Business
Decomposes IT into four domains and 34
processes Domains (plan-build-run)
monitor Control, audit, implementation and
performance management knowledge structured by
process
Process
5
COBIT Of what does it consist?

• Starts from the premise that IT needs to deliver
  the information that the enterprise needs to
  achieve its objectives
• Promotes process focus and process ownership
• Divides IT into 34 processes belonging to four
  domains and provides a high-level control
  objective for each
• Considers fiduciary, quality and security needs
  of enterprises, providing seven information
  criteria that can be used to generically define
  what the business requires from IT
• Is supported by a set of over 300 detailed
  control objectives

• Plan and Organise
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

• Effectiveness
• Efficiency
• Availability
• Integrity
• Confidentiality
• Reliability
• Compliance

6
Business Requirements

• Quality Requirements
• Quality
• Delivery
• Cost
• Security Requirements
• Confidentiality
• Integrity
• Availability
• Fiduciary Requirements
• (COSO Report)
• Effectiveness and efficiency of operations
• Compliance with laws and regulations
• Reliability of financial reporting

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability of information

7
Business Requirements
Effectiveness Deals with information being
relevant and pertinent to the business process
as well as being delivered in a timely, correct,
consistent and usable manner Efficiency Concerns
the provision of information through the optimal
(most productive and economical) usage of
resources Confidentiality Concerns protection of
sensitive information from unauthorised
disclosure Integrity Relates to the accuracy and
completeness of information as well as to its
validity in accordance with the businesss set of
values and expectations Availability Relates to
information being available when required by the
business process, and hence also concerns the
safeguarding of resources Compliance Deals with
complying with those laws, regulations and
contractual arrangements to which the business
process is subject, i.e., externally imposed
business criteria Reliability of
informationRelates to systems providing
management with appropriate information for it to
use in operating the entity, providing financial
reporting to users of the financial information,
and providing information to report to regulatory
bodies with regard to compliance with laws and
regulations
8
Process Orientation
9
Process Orientation

• IT Domains
• Plan and
• Organise
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

• IT Processes
• IT strategy
• Computer operations
• Incident handling
• Acceptance testing
• Change management
• Contingency planning
• Problem management

• Activities
• Record new problem
• Analyse
• Propose solution
• Monitor solution
• Record known problem
• Etc.

Natural grouping of processes, often matching an
organisational domain of responsibility
A series of joined activities with natural
(control) breaks
Actions needed to achieve a measurable result.
Activities have a life cycle, whereas tasks are
discrete.
10
Process Orientation Example Acquire and
Implement

• Description
• To realise the IT strategy, IT solutions need to
  be identified, developed or acquired, as well as
  implemented and integrated into the business
  process. In addition, changes in and maintenance
  of existing systems are covered by this domain to
  make sure that the life cycle is continued for
  these systems.
• Topics
• IT solutions
• Changes and maintenance
• Questions
• Are new projects likely to deliver solutions that
  meet business needs?
• Are new projects likely to deliver on time and
  within budget?
• Will the new systems work properly when
  implemented?
• Will changes be made without upsetting current
  business operations?

Domains
11
Process Orientation Acquire and Implement

• AI1 Identify automated solutions
• AI2 Acquire and maintain application software
• AI3 Acquire and maintain technology
  infrastructure
• AI4 Develop and maintain IT procedures
• AI5 Install and accredit systems
• AI6 Manage changes

12
IT Resources

• Data Data objects in their widest sense, i.e.,
  external and internal, structured and
  nonstructured, graphics, sound, etc.
• Application Systems Understood to be the sum of
  manual and programmed procedures
• Technology Covers hardware, operating systems,
  database management systems, networking,
  multimedia, etc.
• Facilities Resources to house and support
  information systems
• People Staff skills, awareness and productivity
  to plan, organise, acquire, deliver, support,
  monitor and evaluate information systems and
  services

13
How do they relate?
Business Requirements
IT Resources
IT Processes

• Data
• Application systems
• Technology
• Facilities
• People

• Plan and Organise
• Aquire and Implement
• Deliver and Support
• Monitor and Evaluate

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Information reliability

14
What the stakeholders expect from IT
The resources made available toand built up byIT
Business Requirements
IT Resources
IT Processes

• Data
• Application systems
• Technology
• Facilities
• People

• Plan and Organise
• Aquire and Implement
• Deliver and Support
• Monitor and Evaluate

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Information reliability

15
COBITFramework
To provide the information that the organisation
needs to achieve its objectives, IT resources
need to be managed by a set of naturally grouped
processes.
16
COBITFramework
Business Objectives
PO1 Define a strategic IT plan PO2 Define the
information architecture PO3 Determine the
technological direction PO4 Define the IT
organisation and relationships PO5 Manage the IT
investment PO6 Communicate management aims and
direction PO7 Manage human resources PO8 Ensure
compliance with external requirements PO9 Assess
risks PO10 Manage projects PO11 Manage quality
M1 Monitor the process M2 Assess internal
control adequacy M3 Obtain independent
assurance M4 Provide for independent audit
MONITOR AND EVALUATE
DS1 Define service levels DS2 Manage
third-party services DS3 Manage peformance and
capacity DS4 Ensure continuous service DS5
Ensure systems security DS6 Identify and
attribute costs DS7 Educate and train users DS8
Assist and advise IT customers DS9 Manage the
configuration DS10 Manage problems and
incidents DS11 Manage data DS12 Manage
facilities DS13 Manage operations
AI1 Identify automated solutions AI2 Acquire
and mantain application software AI3 Acquire and
maintain technology infrastructure AI4 Develop
and maintain IT procedures AI5 Install and
accredit systems AI6 Manage changes
17
COBIT Framework

• Summarising up to now
• IT is indispensable for the survival and growth
  of enterprises.
• Management is responsible for control.
• That responsibility needs a framework
• Business requirements can be expressed as
  information criteria.
• IT is generally organised in a set of processes.
• IT needs a set of resources.
• COBIT is an internationally accepted standard.

To provide the information that the organisation
needs to achieve its objectives, IT resources
need to be managed by a set of naturally grouped
processes.
18
The COBIT Cube
19
Navigational Aids
Plan and Organise
Aquire and Implement
COBIT Cube
Deliver and Support
Monitor and Evaluate
20
SummaryProcesses, Criteria and Resources
21
COBIT Summary of Processes, Criteria and
Resources
For a business with which you are familiar, what
would be the most important IT processes? Why?
22
Important COBIT Products
Control Objectives Minimum controls
are... Management Guidelines Here is how you
measure Audit Guidelines Here is how you
audit...
23
Control and Control Objective Definitions
The policies, procedures, practices and
organisational structures designed to provide
reasonable assurance that business objectives
will be achieved and undesired events will be
prevented or detected and corrected
Definition of Control
Definition of IT Control Objective
A statement of the desired result or purpose to
be achieved by implementing control practices in
a particular IT activity
24
Control Objectives and Control Practices

• High-level control objective
• One per process
• Detailed control objectives
• Three to 30 per process
• Control practices
• Five to seven per control objective

25
Waterfall Model
The control of
IT Processes
which satisfy
Business Requirements
is enabled by
Control Statements
considering
Control Practices
4 Domains - 34 Processes - 318 Control Objectives
26
AI1
High-level Control Objective
27
Detailed Control Objectives1 IDENTIFY AUTOMATED
SOLUTIONS

• 1.1 Definition of Information Requirements
• 1.2 Formulation of Alternative Courses of Action
• 1.3 Formulation of Acquisition Strategy
• 1.4 Third-Party Service Requirements
• 1.5 Technological Feasibility Study
• 1.6 Economic Feasibility Study
• 1.7 Information Architecture
• 1.8 Risk Analysis Report

28
Detailed Control Objectives1 IDENTIFY AUTOMATED
SOLUTIONS ()

• 1.9 Cost-Effective Security Controls
• 1.10 Audit Trails Design
• 1.11 Ergonomics
• 1.12 Selection of System Software
• 1.13 Procurement Control
• 1.14 Software Product Acquisition
• 1.15 Third-Party Software Maintenance
• 1.16 Contract Application Programming
• 1.17 Acceptance of Facilities
• 1.18 Acceptance of Technology

29
Detailed Control Objectives1 IDENTIFY AUTOMATED
SOLUTIONS ()

• 1.1 Definition of Information Requirements
• CONTROL OBJECTIVE
• The organisations system development life cycle
  methodology should provide that the business
  requirements satisfied by the existing system and
  to be satisfied by the proposed new or modified
  system (software, data and infrastructure) be
  clearly defined before a development,
  implementation or modification project is
  approved.
• The system development life cycle methodology
  should require that the solutions functional and
  operational requirements be specified including
  performance, safety, reliability, compatibility,
  security and legislation.

30
Detailed Control Objectives1 IDENTIFY AUTOMATED
SOLUTIONS ()

• 1.2 Formulation of Alternative Courses of Action
• CONTROL OBJECTIVE
• The organisations system development life cycle
  methodology should provide for the analysis of
  the alternative courses of action that will
  satisfy the business requirements established for
  a proposed new or modified system.
• 1.3 Formulation of Acquisition Strategy
• CONTROL OBJECTIVE
• Information systems acquisition, development and
  maintenance should be considered in the context
  of the organisations IT long- and shortrange
  plans. The organisations system development life
  cycle methodology should provide for a software
  acquisition strategy plan defining whether the
  software will be
• acquired off-theshelf,
• developed internally,
• through contract or by enhancing the existing
  software, or
• a combination of all these.

31
Control Practices
Translate COBITs control objectives into
detailed, implementable practices and provide the
business argumentation for implementation, from a
value and a risk perspective

• Control practices are key control mechanisms that
  support the
• Achievement of control objectives
• Prevention, detection and correction of undesired
  events
• Control practices achieve that through
• Responsible use of resources
• Appropriate management of risk
• Alignment of IT with business

32
Control Practices
AI6 Manage change AI6.4 Emergency changes IT
management should establish parameters defining
emergency changes and procedures to control these
changes when they circumvent the normal process
of technical, operational and management
assessment prior to implementation. The emergency
changes should be recorded and authorised by IT
management prior to implementation.

• Management defines parameters, characteristics
  and procedures that identify and declare
  emergencies.
• All emergency changes are documented, if not
  before, then after, implementation.
• All emergency changes are tested, if not before,
  then after, implementation.
• All emergency changes are formally authorised by
  the system owner and management before
  implementation.
• Before and after images as well as intervention
  logs are retained for subsequent review.

• Controlling emergency changes by implementing the
  control practices will
• Ensure that emergency
• procedures are used in declared
• emergencies only
• Ensure that urgent changes can
• be implemented without
• compromising integrity,
• availability, reliability, security,
• confidentiality or accuracy

Control Practices
Why do it?
33
Important COBIT Products
Control Objectives Minimum controls
are... Management Guidelines Here is how you
measure Audit Guidelines Here is how you
audit...
34
IT Governance Model

• IT governance helps ascertain how automated
  systems
• Simplify operations
• Cut costs
• Increase revenue

Needs an IT control framework
35
How Does COBIT Link to IT Governance?
Direction and Resourcing
Requirements
Goals
Responsibilities
Control Objectives
Governance
Business
IT
Information Executives and Board Need to Exercise
Their Responsibilities
Information the Business Needs to Achieve Its
Objectives
36
Management Guidelines
However, management has questions that go beyond
a control framework

• How do responsible managers "keep the ship on

Indicators?
course"?
DASHBOARD

• How to achieve results that are satisfactory for
  the

largest possible segment of our stakeholders ?
SCORECARDS
Measures?

• How to adapt the organisation in a timely manner

Scales?
to trends and developments in the enterprise's
environment ?
BENCHMARKING
37
Management Guidelines Framework
Process Description
Information Criteria
Resources
Maturity Model

• Key Goal
• Indicators

0 - Management processes are not applied at
all. 1 - Processes are ad hoc and disorganised. 2
- Processes follow a regular pattern. 3 -
Processes are documented and communicated. 4 -
Processes are monitored and measured. 5 - Best
practices are followed and automated.

• Critical Success Factors

• Key
• Performance
• Indicators

38
Key Goal Indicators
Definitions

• Describe the outcome of the process (i.e.,
  measurable after the fact) are measures of
  what, and may describe the impact of not
  reaching the process goal
• Are indicators of the success of the process and
  its business contribution
• Focus on the customer and financial dimensions of
  the balanced scorecard

39
Key Goal Indicators
Examples

• Increased level of service delivery
• Number of customers and cost per customer served
• Availability of systems and services
• Absence of integrity and confidentiality risks
• Cost-efficiency of processes and operations
• Confirmation of reliability and effectiveness
• Adherence to development cost and schedule
• Cost-efficiency of the process
• Staff productivity and morale
• Number of timely changes to processes and systems
• Improved productivity (e.g., delivery of value
  per employee)

40
Key Performance Indicators
Definitions

• Are measures of how well the process is
  performing
• Predict the probability of success or failure
• Focus on the process and learning dimensions of
  the balanced scorecard
• Are expressed in precise, measurable terms
• Should help in improving the IT process

41
Key Performance Indicators
Financial
Examples

• Number of IT customers
• Cost per IT customer
• Cost-efficiency of IT processes up
• Delivery of IT value per employee

Process
Customer

• Availability of systems and services
• Developments on schedule and budget
• Throughput and response times
• Amount of errors and rework

• Level of service delivery
• Satisfaction of existing customers
• Number of new customers reached
• Number of new service delivery channels

Information
Learning

• Staff productivity and morale
• Number of staff trained in new techno/services
• Value delivery per employee
• Increased availability knowledge systems

42
Critical Success Factors
Definitions

• Are the most important things to do to increase
  the probability of success of the process
• Are observableusually measurablecharacteristics
  of the organisation and process
• Focus on obtaining, maintaining and leveraging
  capability, skills and behaviour

43
Critical Success Factors
Examples

• The IT strategic plan clearly states a risk
  position such as leading-edge or road-tested,
  innovator or follower, and the required balance
  between time-to-market, cost of ownership and
  service quality.
• If you are not ready to enforce the policy, do
  not issue the policy.
• A building permit programme for building IT
  systems and a drivers licence programme for
  those doing the building
• A good security plan takes time to evolve.

Strategy
Policy
Compliance
Security
44
Maturity Models
Definitions

• Refer to business requirements (KGIs) and the
  enabling aspects (KPIs) at the different levels
• Are a scale that lend themselves to pragmatic
  comparison, where the difference can be made
  measurable in an easy manner
• Are recognisable as a profile of the enterprise
  in relation to IT governance and control
• Assist in determining as-is and to-be positions
  relative to IT governance and control maturity
  and analyse the gap
• Are not industry-specific nor generally
  applicable. The nature of the business determines
  what is an appropriate level.

45
Maturity Models
Usage
46
AI6
Management Guideline
47
AI6
Management Guideline
48
How Audit Guidelines and Control Objectives Are
Linked
49
How Audit Guidelines and All Other COBIT Elements
Are Linked
Business
requirements
information
IT Processes
controlled by
Control Objectives
made effective and efficient with
audited by
measured by
implemented with
translated into
Audit Guidelines
Control Practices
Critical Success Factors
for performance
for maturity
for outcome
Key Performance Indicators
Key Goal Indicators
Maturity Models
takes into consideration