COBIT 4.1 Framework

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identify the resources essential for process success, i.e., applications, information, infrastructure and people.

The four domains of COBIT are:
  • Plan and Organise (PO)—Provides direction to solution delivery and service deliver
  • Acquire and Implement (AI)—Provides the solutions and passes
    them to be turned into services
  • Deliver and Support (DS)—Receives the solutions and makes them
    usable for end users
  • Monitor and Evaluate (ME)—Monitors all processes to ensure that
    the direction provided is followed
To find out more about COBIT 4.1, the four domains and the 34 processes refer to the COBIT website.

Below is a simple video which explains COBIT, how it works and what is all about:


Important control objectives for small businesses:

PO4.11 - Separation of Duties
Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. The focus is on separating individuals tasks to minimise the occurrence of fraudulent behaviour.

PO7 - Manage IT Human Resources
Ensure the hiring and training staff, clear career paths, assigning roles to match skills, a good performance review process, position description and being ware of dependency on key individuals. Through this process employers should conduct background checks to ensure that no fraudulent activities have occurred. Additionally checks on the individual during their service at the company though personal training and performance reviews. Lastly the company must ensure that past employees IT access is disabled to minimise the occurrence of fraud.

PO9 - Assess and Manage IT Risks
Assessing the risks associated with the IT systems within the organisation with focus on identifying the risks, understanding the risks, assessing risks and developing a response system to maintain and monitor the occurrence of fraud, security, continuity and IT risks. The assessment and management of risks ensures that organisations are aware of the risks and develop ways to minimise against risks.

DS4 - Ensure Continuous Service
The aim is to minimise business impact in the event of an interruption of IT systems and to ensure that the organisation is capable of continue trading. The focus of ensuring continuous service is on contingency planning for disasters and to have off-site back-up procedures in place. The benefits of maintaining contingency plans was highlighted during the 2011 Brisbane floods where businesses lost their IT systems and were unable to recover operations.

DS11.5 - Backup and Restoration
The aim of backing up is to ensure the organisation can continue its service by recovering lost data. The control objective defines and encourages the implementation of procedures to backup systems, applications, data, documentation in line with business requirements and for continuity planning.

ME4 - Provide IT Governance
The importance of an effective governance framework that includes defining organisational structures, processes, roles and responsibilities to ensure IT alignment. The aim of this control is to provide a review of the framework and to monitor the process, making changes where necessary. The highlight is the bring together the focus on Plan and Organise, Acquire and Implement, Deliver and Support and Monitor and Evaluate as per the diagram below.
Figure 1 - IT Governance Focus Areas (COBIT 4.1, 2007)
COBIT 4.1 (2007). COBIT 4.1: Framework, control objectives, management guidelines and maturity models. Retrieved from www.isaca.org

No comments:

Post a Comment