LECTURE 4 - COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best practices
(framework) for information technology (IT) management, created by ISACA and the IT
Governance Institute (ITGI) in 1996.
It is accepted globally as a set of tools that ensures IT is working effectively
Functions as an overarching framework
Provides common language to communicate goals, objectives and expected results to all
stakeholders
Based on, and integrates, industry standards and good practices in:
Strategic alignment of IT with business goals
Value delivery of services and new projects
Risk management
Resource management
Performance measurement
COBIT provides managers, auditors, and IT users with a set of generally accepted measures,
indicators, processes and best practices, to assist them in maximizing the benefits derived through
the use of information technology, and developing appropriate IT governance and control in a
company.
COBIT is built upon five key principles:
Meeting Stakeholder Needs
Covering the Enterprise End-to-End
Applying a Single Integrated Framework
Enabling a Holistic Approach
Separating Governance from Management
COBIT defines seven enablers that support the implementation of effective governance and
management practices:
1. Principles, Policies, and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics, and Behavior
5. Information
6. Services, Infrastructure, and Applications
7. People, Skills, and Competencies
Benefits
It provides managers with a foundation upon which to base IT-related decisions and
investments, while ensuring continuous service and monitoring system performance.
Decision-making is more effective because COBIT aids management in:
o Defining a strategic IT plan
o Defining the information architecture
o Acquiring the necessary IT hardware and software to execute an IT strategy
IT users benefit from COBIT because of the assurance provided to them by COBIT's defined
controls, security, and process governance.
COBIT benefits auditors by helping them to identify IT control issues within a company’s IT
infrastructure. It also helps them corroborate their audit findings.
Purpose of COBIT
The purpose of COBIT is to provide management and business process owners with an
information technology (IT) governance model that helps in delivering value from IT and
understanding and managing the risks associated with IT.
1
�COBIT helps bridge the gaps amongst business requirements, control needs and technical issues.
It is a control model to meet the needs of IT governance and ensure the integrity of information
and information systems.
USERS OF COBIT
COBIT is used globally by those who have the primary responsibilities for business processes
and technology, those who depend on technology for relevant and reliable information, and those
providing quality, reliability and control of information technology.
PROCESSES
COBIT is IT process-oriented and, therefore, addresses itself in the first place to the owners of
these processes. COBIT provides business process owners with a framework, which should
enable them to control all the different activities underlying IT deployment.
COBIT provides business process owners with a generic communication framework to facilitate
understanding and clarity amongst the different parties involved in the delivery of IT services.
FUNCTIONS OF COBIT
• Improves IT efficiency and effectiveness
• Helps IT understand the needs of the business
• Puts practices in place to meet the business needs as efficiently as possible
• Ensures alignment of business and IT
• Helps executives understand and manage IT investments throughout their life cycle
Framework
A successful organization is built on a solid framework of data and information. The Framework
explains how IT processes deliver the information that the business needs to achieve its
objectives. This delivery is controlled through 34 high-level control objectives, one for each IT
process, contained in the four domains.
The Framework identifies which of the seven Information Criteria (effectiveness, efficiency,
confidentiality, integrity, availability, compliance and reliability), as well as which IT
resources (people, applications, information and infrastructure) are important for the IT
processes to fully support business.
COBIT 4.1 has 34 high-level processes, covering 318 control objectives, categorized in four
domains:
COBIT covers four domains:
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Plan and Organize
The Plan and Organize domain covers the use of information & technology and how best it can
be used in a company to help achieve the company’s goals and objectives. It also highlights the
organizational and infrastructural form IT is to take in order to achieve the optimal results and to
generate the most benefits from the use of IT. The following table lists the IT processes contained
in the Planning and Organization domain.
PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
2
�PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
Acquire and Implement
The Acquire and Implement domain covers identifying IT requirements, acquiring the
technology, and implementing it within the company’s current business processes. This domain
also addresses the development of a maintenance plan that a company should adopt in order to
prolong the life of an IT system and its components. The following table lists the IT processes
contained in the Acquire and Implement domain.
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
Deliver and Support
The Deliver and Support domain focuses on the delivery aspects of the information technology. It
covers areas such as the execution of the applications within the IT system and its results as well
as the support processes that enable the effective and efficient execution of these IT systems.
These support processes include security issues and training. The following table lists the IT
processes contained in the Deliver and Support domain.
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
3
�DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
Monitor and Evaluate
The Monitor and Evaluate domain deals with a company’s strategy in assessing the needs of the
company and whether or not the current system still meets the objectives for which it was
designed and the controls necessary to comply with regulatory requirements. Monitoring also
covers the issue of an independent assessment of the effectiveness of IT system in its ability to
meet business objectives and the company’s control processes by internal and external auditors.
The following table lists the IT processes contained in the Monitor and Evaluate domain.
ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance
COBIT AND IT GOVERNANCE SUPPORT
COBIT supports IT governance by providing a framework to ensure that:
• IT is aligned with the business
• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT risks are managed appropriately
Benefits of implementing COBIT
A common language for executives, management and IT professionals
A better understanding of how the business and IT can work together for successful delivery
of IT initiatives
Improved efficiency and optimization of cost
Reduced operational risk
Clear policy development
More efficient and successful audits
Clear ownership and responsibilities, based on process orientation
Val IT is:
• A complete collection of proven management practices and techniques for investment in IT-
enabled business change and innovation
• A framework and supporting publications addressing the governance of IT-enabled business
investments.
Val IT VS COBIT
Val IT is a complete framework covering value governance, portfolio management and
investment management processes and activities. It is closely aligned with and complements
COBIT, but delivers value to enterprises in its own right.
4
� While COBIT ensures that IT is working as effectively as possible to maximize the
benefits of technology investment, Val IT helps enterprises make better decisions about where to
invest, ensuring that the investment is consistent with the business strategy.
