Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

COBIT Framework for IT Governance – Introduction

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
Where to use COBIT Framework?
COBIT may be evaluated under two different contexts. It provides a generic Process Framework that can be used to comply with global standards like SOX, ISO 27001, ITIL or PMBOK etc. At the same time COBIT Framework defines very specific and detailed framework to plan, execute, control and measure all IT enabled initiatives & services in your organization. Many organizations have been using COBIT to manage implementation of other compliance especially SOX.

Why COBIT (Control Objectives for Information and Related Technologies)?

Most of organizations have the running IT functions with minimum or sufficient tools & IT people in place and mostly the difference is in process maturity, capability to define long term vision, ‘formal’ alignment with business goals and capability to measure IT performance in line with top management.

To better understand the difference with COBIT, let’s consider the example of how employee appraisal & evaluation process is executed in small/growing organizations vs. mature organizations. Mostly in all of organizations reporting manager would rate the performance against specific goals & criteria and then discuss same with the employee to inform about rating. The difference lies in the fact that few organizations define the SLA & performance goals for employee at the start of appraisal period while others may decide and discuss everything with employee at the time of appraisal closure. In first scenario employee still do the same work with similar skillsets & methods but the thought process remains clear about how the performance would be assessed, using what control parameters, in what context and at what scale.

Similarly by using COBIT framework you may do the same function, using similar methods but the thought process & execution style is more strategic and you work with better capabilities to define goals, measure the performance and control the execution. The key advantage for top management is the clear alignment of business goals with IT function & investments and key advantage for IT management team is the ability to focus on each planning & execution aspect of IT governance in formal & controlled manner, at the same time ability to measure the performance & maturity of IT functions using pre-defined parameters & scales.

Note:The following sections would provide the high level idea of COBIT framework components, methods and activities etc. and you may not be able to fully understand the purpose and usage for each. So for better understanding let’s treat them as reference pointers and at the end let’s relate them all together using an example.

COBIT Framework Focus Areas and Domains

Focus Areas

Cobit Focus Areas

COBIT Framework – Domains of IT Governance

Plan & Organize:
Define execution strategy and align with key business goals; Plan for optimal use of resources; Define clear IT objectives; Establish methods for risk management and quality measurement.

Acquire & Implement:
Identify, acquire and implement IT solutions and infrastructure as per the business needs. Ensure IT services may run without interruption and aligned with business processes.

Deliver and Support:
Ensure service delivery in line with business priorities with optimized cost; Ensure effectiveness of management controls and ensure controls are in place for Information Security and continuity of services.

Monitor and Evaluate:
Monitors all processes to ensure that the direction provided is followed and identify issues and measure performance goals.

COBIT Framework – Sub Domains

All primary domains are structured to cover multiple aspects that I would refer as sub-domains for our understanding.

Plan & Organize:
PO1 – Define a Strategic IT Plan
PO2 – Define the Information Architecture
PO3 – Determine Technological Direction
PO4 – Define the IT Processes, Organization and Relationships
PO5 – Manage the IT Investment
PO6 – Communicate Management Aims and Direction
PO7 – Manage IT Human Resources
PO8 – Manage Quality
PO9 – Assess and Manage IT Risks
PO10 – Manage Projects

Acquire & Implement:
AI1 – Identify Automated Solutions
AI2 – Acquire and Maintain Application Software
AI3 – Acquire and Maintain Technology Infrastructure
AI4 – Enable Operation and Use
AI5 – Procure IT Resources
AI6 – Manage Changes
AI7 – Install and Accredit Solutions and Changes

Deliver and Support:
DS1 – Define and Manage Service Levels
DS2 – Manage Third-party Services
DS3 – Manage Performance and Capacity
DS4 – Ensure Continuous Service
DS5 – Ensure Systems Security
DS6 – Identify and Allocate Costs
DS7 – Educate and Train Users
DS8 – Manage Service Desk and Incidents
DS9 – Manage the Configuration
DS10 – Manage Problems
DS11 – Manage Data
DS12 – Manage the Physical Environment
DS13 – Manage Operations

Monitor and Evaluate:
ME1 – Monitor and Evaluate IT Performance
ME2 – Monitor and Evaluate Internal Control
ME3 – Ensure Compliance with External Requirements
ME4 – Provide IT Governance

COBIT Framework – Coverage of IT Functions & Processes

COBIT 4.x has identified 34 IT processes that are commonly applied in all organizations, however all of these need not to be applied and may be adopted as required by each enterprise. COBIT has defined control objectives for all 34 processes. Controls are defined as policies, procedures and practices along with Responsibility matrix.

COBIT provides examples for each process along with:
Generic inputs and outputs;
Activities and guidance on roles and responsibilities in a Responsible, Accountable, Consulted and Informed (RACI) chart;
Key activity goals;

COBIT 4.x provides list of 17 generic business goals along with a matrix to map this business goals with 28 IT goals.

COBIT Framework- Maturity Model to assess Maturity Level

The COBIT 4.x use following maturity model that is quite similar to the CMMI. The detailed instructions has been provided to understand how to rate a function/process implementation at what level.

0 – Non-existent (no process used or applied for IT management)
1 – Initial/ad hoc (ad hoc management with/without implied processes but with no formal process definition)
2 – Repeatable (Work done in a fixed pattern but process is not documented)
3 – Defined (Process defined but not able to measure performance)
4 – Managed & measurable
5 – Optimized

Using COBIT maturity model the process owners should be able to :
1. Set benchmarks to define relative measure to assess where the enterprise is standing
2. Define efficiency target/benchmarks to achieve
3. Define methods for measuring progress against the target benchmarks

Note: The COBIT 5.x has made changes in Maturity Model and they are not similar to CMMI maturity model.

How it works?

COBIT 4.x provides list of 17 generic business goals along with a matrix to map this business goals with 28 IT goals as well as the Information Criteria. The mapping matrix helps to identify process & objectives to focus for specific business goals using the Information Criteria.

The business goals are grouped in 4 categories that we refer as business perspective:
1. Financial Perspective
2. Customer Perspective
3. Internal Perspective
4. Learning & Growth Perspective

for example below section lists 4 business goals from the matrix:
Good ROI, Product & Service Innovation, Establish Service Availability & Continuity, and Ensure Compliance with internal policies

Cobit Matrix

Once the business goals are selected then we may refer to another matrix for linking IT Goals with IT Processes. As we can see in the middle section (of image) that the business goal “Ensure Compliance with internal policies” is mapped with IT Process P07 & A15.

The last section (of image) shows the description of both process requirements and the controls required to meet following process objectives:
1. Create IT agility.
2. Acquire and maintain IT skills that respond to the IT strategy.
3. Acquire and maintain integrated and standardized application systems.
4. Acquire and maintain an integrated and standardized IT infrastructure.
5. Acquire and maintain IT skills that respond to the IT strategy.

Once we have identified the controlled objectives as above then we may refer to detailed specification for respective control objective that provides description of activities involved, responsibility matrix and directions to measure the output & performance. Further to it COBIT also provides explanation of how to rate maturity on a rate of 0-5 for respective control objective.

[Show All Sections]