COBIT (Control Objectives for Information and Related Technology)
COBIT stands for Control Objectives for Information and Related Technology and is the internationally recognized manual for IT Governance, i.e. for guaranteeing security, quality and compliance in information technology. In this context COBIT does not primarily define how the requirements are to be met but instead concentrates mainly on what has to be implemented.
COBIT was originally developed (1993) by the international Information Systems Audit and Control Association, ISACA. Since the year 2000 the development and updating of COBIT has been the responsibility of the IT Governance Institute, a sister organization of the ISACA. Over the years COBIT has developed from being a tool for IT auditors into a tool for the control of IT from the corporate viewpoint and, amongst other things, is also used as a model for ensuring compliance with statutory requirements. This generally promotes the industrialization of IT.
COBIT was created very much along the lines of the COSO (Committee of Sponsoring Organizations of Tradeway Commission) the framework for internal controls designed to ensure the integration of IT governance within the corporate governance. In this context COBIT is intended to be the link between the control frameworks throughout the company (COSO) and the IT-specific models (e.g. ITIL, ISO17799/27002 etc.). Evidence that COBIT meets this requirement is demonstrated by the fact that COBIT is widely used internationally as a control model by most large companies. It is the premise of ISACA that 95 % of major companies utilize COBIT in whole or in part.
COBIT provides good practices in the form of a domain and process framework and entails activities in a structure which is both logical and easy to use. The good practices contained within COBIT incorporate the views of various experts whose focus is clearly more control than implementation-based. These practices lend support for improving capital investment within the IT environment and ensure service delivery as well as an assessment benchmark in the event of irregularities occurring.
To enable IT to successfully fulfill the business requirements, an internal system of monitoring/controls or an internal framework should be implemented by the management. The COBIT framework provides a help in this context through
- a link with the business requirements,
- the incorporation of IT-related activities into a generally accepted process model,
- the identification of key IT resources to be controlled and
- the definition of the control objectives to be taken into account.
COBIT’s orientation towards the core business consists of a link between corporate objectives and IT objectives, the provision of measurement parameters and maturity models for measuring target attainment and includes identification of the relevant responsibilities both in the technical area and IT.
COBIT’s process orientation is demonstrated by the process model which organizes the IT into 34 processes, subdivided into planning, development, operation and monitoring, establishing an integrated view of the IT. In this context, company-wide architecture models help to identify the key resources for the success of the processes such as e.g. applications, information, infrastructure and personnel.
What is IT Governance?
The ability to meet all business and regulatory requirements at all times requires an integrated management system coordinated throughout all parts of the enterprise. These management principles are also called governance. Corporate governance ensures that fair and transparent bases for decision-making and responsibilities apply throughout the company.
IT governance is one part of this and on the management level includes the responsibilities in respect of management, organizational structure and processes for implementing the corporate strategy via the IT and achieving or even exceeding the targets. Today, various frameworks, models, standard and quality systems are available on the market to facilitate the monitoring and fulfillment of these governance and compliance requirements.
The main objective of IT governance is to understand the requirements of the IT as well as IT’s strategic importance from the viewpoint of the core and management processes in the company in order to ensure that the business operates to optimum effect so as to achieve the corporate objectives and create strategies for the future expansion of the business operation. The purpose of IT governance is to ensure that the expectations demanded of the IT are known and that the IT is also in a position to fulfill these expectations. In this context any potential risks must be reduced. In this sense it would be more accurate to talk about enterprise governance over IT than about IT governance as IT governance does not take place within but outside the IT organization.
The IT Governance essentially creates a balance between two areas:
- the creation of corporate value
- minimizing IT risks
The aims of IT governance are defined by analysts as follows:
- Strategic orientation, focusing on corporate solutions.
- Creation of benefits, focusing on optimizing the tasks and assessing the benefit of the IT.
- Risk management which relates to the protection of the IT assets taking account of disaster recovery and continuation of the corporate processes in the event of a crisis.
- Resource management, optimization of knowledge and infrastructure.
- Performance measurement and consequently the creation of the bases for continual improvement.
The COBIT approach to controlling must essentially be applied on a top-down basis. Corporate objectives form the basis for the definition of IT objectives which in turn influence the IT architecture. In this respect, IT processes which are suitably defined and operated, ensure that information is processed, IT resources managed (personnel, technology, data, applications) and services delivered. Measurement and target parameters are defined respectively for these levels (company-wide basis, IT, process and activities) for the purpose of assessing the results and performance drivers. Target attainment is measured on a bottom-up basis, producing a defined control cycle.
Why a Control Framework?
The demand for an IT governance control framework is increasing all the time. The key influence of information on business success is being recognized increasingly and clearly by the management which is demanding a greater understanding of how the information technology (IT) is being operated and of the potential for using IT to achieve competitive advantages. The company’s governing boards want to know whether information is being managed by the organization in such a way that it can ensure the following:
- Attainment of the targets.
- Ability and flexibility to learn and change.
- Sensible approach to the relevant risks.
- Identification and exploitation of opportunities.
Successful businesses understand the risks, realize the benefits of IT and find a way of
- adapting the IT strategy to the corporate strategy,
- breaking down the IT strategy and targets in the organization,
- establishing organizational structures which enable strategy and objectives to be implemented and achieved,
- pursuing constructive relationships and communication between core business, IT and external partners and
- measuring the performance of IT.
Without the use and implementation of a governance and control framework for the IT, companies cannot effectively fulfill the corporate and governance requirements in order to
- align them with the corporate requirements,
- create transparency of performance in meeting the requirements,
- organizing the activities into a generally accepted process model,
- identifying and effectively utilizing the key resources,
- defining the management control objectives to be pursued.
In addition, governance and control frameworks develop into best practices in the IT management and are a supporting factor in the creation of IT governance and achieving compliance against the background of an ever growing number of regulations.
Best practices in IT are increasingly being followed for various reasons:
- Managers of core business processes and members of controlling committees are demanding an improved return.
- For capital investment in IT, for example by IT having to deliver services which increase value for the stakeholders.
- Uncertainties associated with increasing expenditure for IT.
- The demand from regulatory requirements with regard to IT controls in the area of privacy or financial reporting (e.g. Sarbanes-Oxley Act, Basel II) or in specialized areas such as pharmaceuticals, lending or healthcare.
- The choice of service providers and the management of outsourcing and procurement.
- Increasing complexity of risks associated with IT, such as network security.
- Initiatives in the area of IT governance which provide support for the application of control frameworks and best practices. These provide for the monitoring of and improvement in critical activities for IT in order to increase the contribution to value and reduce business risks.
- The demand for cost optimization by the fact that an increasing number of standardized approaches are being pursued and increasingly fewer developed for specific purposes.
- The increasing level of maturity and subsequent acceptance of recognized frameworks such as COBIT, ITIL, ISO 17799, ISO 9001, CMM and PRINCE2.
- The need to measure the company’s own performance against similar companies and generally accepted standards (benchmarking).
Orientation towards the company is the main theme of COBIT as COBIT was not just created to be read by IT service providers, users and auditors but also – or more specially – as a comprehensive instruction for management and personnel responsible for processes in the core business.
The COBIT framework is based on the following principle: in order to supply the information which is required to achieve the corporate objectives the company must manage and control the IT resources using a structured number of processes that guarantee the delivery of corresponding services.
The COBIT framework supplies support tools for orientation towards the needs of the company. In this context, information criteria, resources and processes are the central components in the COBIT framework.
In order to achieve the corporate objectives the information must reflect specific criteria which is described in COBIT as requirements for information specific to the individual company. Seven individual, partially overlapping information criteria for the broader security requirements from the quality and fiduciary aspects were defined as follows:
- Effectiveness deals with the relevance and suitability of information for the business process as well as its appropriate provision in terms of time, accuracy, consistency and usability.
- Efficiency deals with the supply of information through the optimum (most productive and most efficient) use of resources.
- Confidentiality deals with the protection of sensitive information against unauthorized disclosure.
- Integrity relates to the accuracy and completeness of information as well as its validity in accordance with corporate values and expectations.
- Availability relates to the fact that information is available for the business process now and in the future. It also applies to the protection for necessary resources and their services.
- Compliance deals with the adherence to laws, regulations and contractual agreements which the business process has to take into account, such as e.g. externally imposed criteria or internal guidelines.
- Reliability relates to the appropriate nature of supplied information which is used by the management in order to steer the company and enable it to meet its obligations with regard to good faith and governance.
Corporate objectives and IT objectives
Whilst the information criteria represents a generic method for defining the information requirement, the generic corporate and IT objectives defined in COBIT provide a more specific basis for defining the corporate requirements and in order to develop metrics which enable the fulfillment of these objectives to be measured. Every company utilizes information technology to support business projects; these can be seen as corporate objectives for the IT.
If IT intends to deliver successful services in order to support the corporate strategy then clear responsibilities and standards should be set by the core business (the client) with regard to the requirements, as well as a clear understanding of the demand (WHAT and HOW) to be covered by the IT (the service provider).
These targets should in turn lead to clearly defined targets for the IT itself (IT objectives) which once again in turn define the IT resources and their services (corporate architecture for IT) which are required for successful performance of the tasks derived from the strategy. These objectives should all be expressed in a language which is understood by the client.
Once the aligned objectives have been defined they must be subject to monitoring in order to ensure that the actual service delivery meets the expectations. This is achieved through metrics derived from the objectives and recorded in the IT scorecard in a way that can be understood and followed by the customer and which in turn enables the service provider to focus on the internal targets.
The objective of the IT organization is to deploy the skills of individuals and (technological) infrastructure systems using a clearly defined number of processes so that automated corporate applications can be operated and information processed. Together with the processes these resources form the corporate architecture of the IT.
In order to be capable of responding to the corporate requirements demanded of the IT the company must invest in resources so as to provide appropriate technical facilities (e.g. an Enterprise Resource Planning System) for supporting the company’s capabilities (e.g. implementation of a supply chain) which produce the desired result (e.g. increased sales figures and profits).
The IT resources identified in COBIT are defined as follows:
- Applications are automated applications and manual processes that process information.
- Information is the data in all its forms read, processed or generated by information systems in every form used within the company.
- Infrastructure is the technologies and systems (hardware, operating systems, database management systems, networks, multimedia etc.) as well as the installations that house and support them.
- People are those persons required for planning, organization, procurement, implementation, operation, support, monitoring and evaluation of the information systems and services. These can be internal, outsourced or contractually tied – as required in each case.
COBIT divides IT activities in a generic process model into four domains. These domains are: “Plan and Organize“, “Acquire and Implement”, “Deliver and Support” and “Monitor and Evaluate”. The domains are geared towards the standard responsibilities of planning, constructing, operating and monitoring.
The COBIT framework contains a reference process model and a common language applicable for everyone in the company in order to consider and manage the activities. The introduction of an operating model and a common language for all parties involved is the first and one of the most important steps in achieving good governance. COBIT also contains a framework for measuring and evaluating IT performance, communicating with service providers and integrating best management practices. A process model supports process ownership and provides for the definition of tasks and responsibilities.
In order to effectively control IT it is important to be familiar with the activities and risks within the IT which have to be managed.
Plan and Organise
This domain covers strategy and tactics and relates to the definition of how IT can best contribute towards achieving the corporate objectives.
Furthermore, the implementation of the strategic vision must be planned, communicated and managed according to various viewpoints.
Finally, there needs to be an appropriate organization and technological infrastructure in place. This domain typically answers the following management questions:
- Are IT and company pursuing the same aims?
- Is the company making optimum use of the IT resources?
- Does everyone in the organization understand the IT objectives?
- Are the IT risks understood and being managed?
- Is the quality of the IT systems sufficient to meet the requirements of the business?
Acquire and Implement
IT solutions have to be identified, developed or acquired and implemented and integrated into the business processes in order to implement the IT strategy. This domain also covers modifications to and maintenance of existing systems, ensuring that the solutions continue to reflect the corporate objectives. The domain typically answers the following management questions:
- Do the results of new projects meet the corporate requirements with a high level of probability?
- Are new projects likely to be completed on time and within budget?
- Will the new systems function properly once they have been completed?
- Are changes implemented without their having any unnecessary detrimental effect on the current business processes?
Deliver and Support
This domain deals with the actual delivery of the required services, encompassing service delivery, management of security and continuity, service support for users and management of data and facilities. It typically answers the following management questions:
- Are IT services delivered in accordance with the company’s priorities?
- Are the IT costs optimized?
- Can users utilize the IT systems securely and productively?
- Is the level of confidentiality, integrity and availability appropriate?
Monitor and evaluate
All IT processes must be regularly evaluated in terms of their quality and adherence to monitoring requirements. This domain deals with performance management, monitoring of internal controls, adherence to regulations and guarantee of governance. It typically answers the following management questions:
- Is the performance of IT measured in order to identify problems before it is too late?
- Does the management ensure that internal controls are effective and efficient?
- Can the performance of IT be linked back to the corporate objectives?
- Is risk, control, compliance and performance measured and reports on this produced?
Processes and controls
Controls are defined as those guidelines, procedures, practices and organizational structures which have been developed in order to ensure sufficient security so that the corporate objectives are achieved and undesirable events avoided or identified and corrected. An IT control objective is a statement on the required outcome or the intended purpose which is to be achieved with the implementation of control procedures integrated within certain activities. The COBIT control objectives are minimum requirements for the effective control of any IT process.
The operational management uses processes in order to organize and manage the current IT activities. COBIT provides a generic process model which contains all the processes normally to be found in IT functions and, as such, provides a general reference model which can be understood by the operational IT management and company management.
In order to achieve effective governance controls which are integrated into a control framework defined for all IT processes, controls must be implemented by the operational management. Since the COBIT IT control objectives are categorized according to IT processes, this framework represents a clear link between the requirements of the IT governance, IT processes and IT controls.
Every COBIT IT process contains a superordinate control objective as well as several detailed control objectives. Together these represent the characteristics of processes which are appropriately managed.
In addition to the acceptance of the necessary controls, process owners must understand which inputs are needed from other process owners as well as which outputs these require. COBIT contains generic examples of the key inputs and outputs for each process, including the external requirements. Some outputs are inputs in all other processes and this can be seen by ‘ALL’ in the output table. However, these outputs, such as targets for quality standards and metrics requirements, the IT process framework, documented roles and responsibilities, the company-wide IT control framework, IT guidelines or personal roles and responsibilities are not listed in all processes as their own input.
Understanding the roles and responsibilities of all processes is key to effective control. COBIT contains RACI charts for all processes. These are diagrams which show who is responsible, accountable, consulted and informed. Being accountable means having final responsibility. In other words, this is the person who issues standards or approves activities. Those who have responsibility are to be understood as those who perform the activity. The other two roles ensure that all the necessary participants are integrated and that they support the process.
DIFFERENCES and COMMONALITIES BETWEEN ITIL & COBIT
The tasks of ITIL
ITIL describes a systematic, professional procedure for the management of IT services. The library emphatically puts the emphasis on the importance of meeting the corporate requirements from the commercial aspect.
The necessary prerequisite for this is the unconditional willingness to accept change in respect of a customer and a service-orientated approach. In many companies this requires a change in the existing behavioral culture.
The aim, with the help of ITIL, is to also create a clear world of definitions in the service management area and to consequently simplify the communication.
The tasks of COBIT
The COBIT framework is aimed primarily at compliance and security and, as such, ensures the IT governance for the operation of the IT services.
IT service management under ITIL is geared purely towards customer benefit and efficiency. Achieving the business objectives whilst simultaneously meeting internal and external requirements is fundamental to ensuring a company’s medium and long-term success.
There is now considerably less tolerance of misconduct and negligence amongst the legislators, shareholders and clients. Domestic and foreign regulatory authorities are demanding faultless procedures. They are calling for the transparency and measurability of the IT activities. The management of the operational risks must therefore be carried out in the interest of the company and its stakeholders.
As numerous negative examples from the past show, some companies have not survived due to the lack of or defective control mechanisms. Basel II and the Sarbanes-Oxley Act (SOX) were created not least as a result of the lack of due care in the handling of operational risks.
In this context ever-increasing importance is being attached to COBIT today. This best practice framework supports the controls for all IT processes and is primarily geared towards the auditing aspects and ensuring compliance.
Synergy between COBIT and ITIL: ISO 20000
It is no longer enough purely to implement best practice. The synergy between the two networks now lies in the fact that the more formal control objectives of COBIT are being aligned with the ITIL framework which is orientated towards suitability and flexibility and these must be fulfilled in a way that can be defined.
This link neatly synchronizes the standards for the strategic orientation and increased efficiency of IT service management with the auditing standards.
The two frameworks will continue to develop and increasingly converge, with the bridge for this being created by the international ISO 20000 standard. Based on ITIL the two organizations itSMF and BSI (British Standard Institute) have developed this clearly measurable standard and therefore created the opportunity for certification of the conformity, effectiveness and efficiency of the individual IT service management control objectives.
source : from ITIL Documentation