COBIT (Control Objectives for Information and Related Technology)

COBIT is a framework of the best practices for IT management (IT Governance). It is a set of best practices and procedures that help the organization to achieve strategic objectives through the effective use of available resources and minimization of IT risks. COBIT interconnects Enterprise governance and IT Governance. This connection is realized by linking business and IT goals, defining metrics and maturity models to measure the achievement of objectives and defining the responsibilities of owners of the business and IT processes.^[1]

The first COBIT version was released by ISACA organization in 1996. The first edition consisted of the framework, and the second one was extended to include audit guidelines, an implementation toolset, and control objectives. The third edition added management guidelines. The third edition of COBIT has been released by the ITG Institute (IT Governance Institute). The current edition is the fifth (COBIT 5), and the fifth version is available from April 2012. COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0, and Risk IT Framework and also draws significantly from the Business Model for Information Security (BMIS) and ITAF.^[2]

Framework and Components of COBIT

Framework and Components of COBIT^[3]
COBIT was initially "Control Objectives for Information and Related Technologies," though before the release of the framework people talked of "CobiT" as "Control Objectives for IT" or "Control Objectives for Information and Related Technology." The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process activities, process objectives, performance measures, and an elementary maturity model. COBIT also provides a set of recommended best practices for the governance and control process of information systems and technology with the essence of aligning IT with business]]. COBIT 5 consolidates COBIT 4.1, Val IT, and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with other frameworks and standards. The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. The process focus of COBIT is illustrated by a process model that subdivides IT into four domains (Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run, and monitor. It is positioned at a high level and has been aligned and harmonized with other, more detailed IT standards and good practices such as COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK. COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that links the good practice models with governance and business requirements. COBIT 5 further consolidated and integrated the COBIT 4.1, Val IT 2.0, and Risk IT frameworks and drew from ISACA's IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS). The framework and its components can, when utilized well, also contribute to ensuring regulatory compliance. It can encourage less wasteful information management, improve retention schedules, increase business agility, and lower costs while better complying with data retention and management regulations.

COBIT components include:

• Framework: Organizes IT governance objectives and good practices by IT domains and processes and links them to business requirements.
• Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of planning, building, running, and monitoring.
• Control objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.
• Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.

Maturity models: Assesses maturity and capability per process and help to address gaps.

The Principles of COBIT

The Principles of COBIT^[4]
There are five principles that makeup COBIT: (see figure below)

• Meeting stakeholder needs. This is incredibly general, but COBIT points out that meeting the needs of the stakeholder while still meeting the needs of the company is valuable.
• Covering the enterprise end-to-end. You must have a complete solution—not just pieces here and there. It’s important to take an in-depth look at network devices, endpoint solutions, as well as signature, non-signature, and heuristic base protection (and much more).
• Applying a single integrated framework. This isn’t to say you need only a single vendor for your framework, but rather that your framework must be organized and well thought-out.
• Enabling a holistic approach. You must have a plan of action that attacks an IT problem from multiple angles.
• Separating governance from management. Governance ensures that there is oversight, while management deals with the necessary processes and steps needed.

source: ISACA

The COBIT Reference Model

The COBIT 5 Process Reference Model^[5]
COBIT 5 is not delivered as a prescriptive model; rather, it advocates the implementation of governance and management processes within enterprises, as per the figure below. The COBIT 5 process reference model defines and describes in detail the governance and management processes normally found within an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers. The COBIT 5 model delivers an operational model with a common language for all parts of the business involved in IT activities and provides a framework for measuring and monitoring IT performance, communicating with service providers, and integrating best management practices.

source: ISACA

The COBIT 5 process reference model divides the governance and management processes of enterprise IT into two main process domains:

• Governance—Contains five governance processes with “evaluate, direct and monitor practices” defined within each process
• Management—Four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), providing the end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure:
  • Align, Plan, and Organise (APO)
  • Build, Acquire and Implement (BAI)
  • Delivery, Service, and Support (DSS)
  • Monitor, Evaluate and Assess (MEA)

The COBIT 5 process reference model is the successor of the COBIT 4.1 process model, incorporating both the Risk IT and Val IT frameworks.

Analyzing COBIT

COBIT - An Analysis^[6]
A significant refresh of COBIT 4.1, COBIT 5 improves this useful framework by integrating several of ISACA's frameworks, notably Val IT and Risk IT. The changes have made COBIT 5 broader and more complex. The scope of its guidance could overwhelm new users and inhibit its adoption; consequently, the online version of COBIT 5 will need to provide role-specific versions or logical views to make it more user-friendly.

Changes in COBIT 5 likely to have the greatest impact on organizations currently using COBIT include:

• A new process capability assessment approach, based on ISO/IEC 15504, which replaces the Capability Maturity Model (CMM)-based modeling.
• Modifications to the process model, including changed processes and some new processes.
• Beyond the integration, this update also attempts to address a number of issues, including:
• Greater relevance to a wider business audience through increased separation of governance from management and clearer connection with board-level concerns.
• More explicit guidance to levers of change ("enablers") beyond processes, such as culture, ethics, behavior, people, skills, and competencies.
• Improved process capability assessments.
• Linkage between specific IT and enabler goals to broader enterprise-level goals.
• Greater emphasis on value creation through focusing on benefits realization, risk optimization, and resource optimization.

However, ISACA has overlooked or set aside some areas for this update:

• It ignores the blurring boundary between operational technology and information technology, which will have an increasing impact on the management of risk and delivery of value and will require additional controls.
• It is just about acknowledging but does not explicitly deal with or provide any useful guidance on, sustainability.
• It still complements the Information Technology Infrastructure Library (ITIL) without replacing it.

See Also

• OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
• Factor Analysis of Information Risk (FAIR)

References

Further Reading

• COBIT and its Utilization: A framework from the literature Gail Ridley,Judy Young, Peter Carroll
• COBIT 5 for Risk: Making Sense of IT Risk Management Syed Salman, CISA
• How COBIT 5 Can Help Reduce the Likelihood and Impact of the Top 5 Cyberthreats Sue Milton, CISA, CGEIT
• COBIT Framework as a Guideline of Effective IT Governance in Higher Education: A Review Rasha Adnan Khther and Dr. Marini Othman and Dr. Marini Othman