COBIT is one of the most widely recognized and used internal control
frameworks
for documenting internal controls in the Information Technology (IT)
environment.
The name is an acronym for Control Objectives for Information and
related Technology. It was created by the Information Systems Audit and Control
Association (ISACA) as an alternative to other internal control frameworks, such
as COSO’s IC-IF, that provided a very comprehensive focus on financial and
operational
risks and controls, but was short on details on IT risks, controls, and
related topics. In fact, beyond risks and controls, COBIT has become a highly
regarded control framework for generally accepted standards for IT control
practices,
IT management and staff, and IT audit.
The Framework was initially released in 1996 and has undergone several revisions
and upgrades over the years. The most recent release was version 5.0 released
in 2012. This version provides guidance on two domains: IT Governance and IT
Management. In addition, ISACA linked each enabling process to internationally
recognized standards and frameworks, such as COSO IC-IF and COSO
ERM, ISO 9000, 31000, 27000, and 38500, TOGAF, Project Management
Body of Knowledge (PMBOK) and Information Technology Information
Library (ITIL).
IT Governance
Evaluate, Direct, and Monitor
There is a single segment for this topic with multiple enabling processes defining
it. IT Governance delineates the responsibilities of the board and senior management
over governance and engages these parties in their role defining, overseeing and promoting IT strategy for the organization. It states there must be transparency
with stakeholders, that IT benefits are delivered, and that risks to the IT
infrastructure
are optimized. This segment of the framework is labeled Evaluate,
Direct, and Monitor (EDM).
There are five enabling processes in this segment:
EDM01—Ensure governance and framework setting and maintenance
EDM02—Ensure benefits delivery
EDM03—Ensure risk optimization
EDM04—Ensure resource optimization
EDM05—Ensure stakeholder transparency
IT Management
Align, Plan, and Organize
This domain has four underlying subcomponents. The first identifies the ways the
organization’s IT function covers strategy, and identifies the ways IT can best contribute
to the achievement of the organization’s objectives. COBIT argues that the
strategic vision should be planned, communicated, and managed. To be successful
in this regard, a proper organizational and technological infrastructure needs to be
in place.
There are several key skills, activities, and outputs needed for the organization
to successfully align its IT infrastructure, plan for the short and long terms, and
organize itself effectively for success. These include the development and deployment
of IT policies, a clear and comprehensive IT strategy, the identification and
management of its IT architecture, constant pursuit of innovation, and sound
financial and portfolio management.
This component has thirteen enabling processes and is labeled Align, Plan, and
Organize (APO).
APO01—Manage the IT management framework
APO02—Manage strategy
APO03—Manage enterprise architecture
APO04—Manage innovation
APO05—Manage portfolio
APO06—Manage budgets and costs
APO07—Manage human resources
APO08—Manage relationships
APO09—Manage service agreements
APO10—Manage suppliers
APO11—Manage quality
APO12—Manage risk
APO13—Manage security
Build, Acquire, and Implement
The second subcomponent posits that to realize the organization’s IT strategy, IT
solutions, and actions must be identified, developed, or purchased, implemented, and
subsequently integrated into the business processes. While making changes and maintaining
existing systems, it is imperative that these actions be properly controlled.
Essential skills, outputs, and activities include business analysis, definition of
business requirements, project management, systems programming, usability evaluation,
capacity management, and hardware and software decommissioning.
This segment is labeled Build, Acquire, and Implement (BAI) and has ten
enabling processes.
BAI01—Manage programs and projects
BAI02—Manage requirements definition
BAI03—Manage solutions identification and build
BAI04—Manage availability and capacity
BAI05—Manage organizational change enablement
BAI06—Manage changes
BAI07—Manage change acceptance and transitioning
BAI08—Manage knowledge
BAI09—Manage assets
BAI10—Manage configuration
Deliver, Service, and Support
The third subcomponent focuses on the delivery of required services ranging from
traditional operations, security, business continuity, and training. In essence, to
deliver needed services, the necessary support processes must be established. The
Deliver, Service, and Support (DSS) segment has six enabling processes.
Essential skills and outputs include availability and problem management, incident
and service desk management, security administration, IT operations, and
database administration.
This segment is labeled DSS and has six enabling processes.
DSS01—Manage operations
DSS02—Manage service requests and incidents
DSS03—Manage problems
DSS04—Manage continuity
DSS05—Manage security services
DSS06—Manage business process controls
3. Applying a Single Integrated Framework by aligning COBIT 5 with other
relevant and highly regarded standards and frameworks used by organizations,
such as:
a. COSO Internal Controls-Integrated Framework (IC-IF)
b. COSO Enterprise Risk Management (ERM)
c. ISO 9000
d. ISO 31000
e. ISO 27000
f. ISO 38500
g. ITIL: Information Technology Information Library
h. TOGAF: The Open Group Architecture Forum
i. PMBOK: Project Management Body of Knowledge
j. CMMI: Capability Maturity Model Integration
4. Enabling a Holistic Approach that integrates multiple enabler categories so
their needs, interests and characteristics are addressed effectively:
a. Principles, Policies and Frameworks: This relates to the role that behaviors
influence practical guidance for daily management
b. Processes: They are the activities performed to achieve objectives and
generate
outputs that support IT goals
c. Organizational Structures: Consist of the key decision-making entities in
an organization
d. Culture, Ethics and Behaviors: This relates to the individuals and the
organization. Unfortunately, this topic is very often underestimated as a
success factor in governance and management activities.
e. Information: It must be pervasive throughout any organization, and deal
with all information produced and used by the enterprise. Information
is required for the organization to be governed appropriately, and for
keeping
it running effectively. At the operational level, information is
often the key product of the enterprise itself.
f. Services, Infrastructure and Applications: This includes the infrastructure
and applications that provide the organization with IT processing and
services.
g. People, Skills and Competencies: The organization’s IT infrastructure is
closely linked to people, what they do and how they do it. Individuals
are required for successful completion of all activities, for making correct
decisions and taking corrective actions when required.
5. Makes a Clear Distinction and Separates Governance from Management.
Each comprises different types of activities, requires different organizational
structures, and serve different purposes. While governance makes sure that
stakeholder needs are met, sets direction by prioritizing initiatives, making
decisions and monitoring performance, management plans, builds, runs, and
monitors activities to make sure they are aligned with the direction set by the
governing board.
Summary
1. COBIT* is ISACA’s governance, management, and internal control framework
for enterprise IT.
2. The framework consists of five principles, seven enablers, and 37 processes.
3. It covers technical, and not so technical subjects, including cost and budget
management, training and human resource management, project management,
risk management, change management, asset management, continuity
management, knowledge
Tidak ada komentar:
Posting Komentar