What is COBIT? - Significance and Framework
COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements. COBIT is a thoroughly recognized guideline that can be applied to any organization in any industry. Overall, COBIT ensures quality, control, and reliability of information systems in organization, which is also the most important aspect of every modern business.
Today, COBIT is used globally by all IT business process managers to equip them with a model to deliver value to the organization and practice better risk management practices associated with the IT processes. The COBIT control model guarantees the integrity of the information system.
Check out our video on Introduction to COBIT 5 Foundation Training.
What is The COBIT Framework?
The COBIT business orientation includes linking business goals with its IT infrastructure by providing various maturity models and metrics that measure the achievement while identifying associated business responsibilities of IT processes. The main focus of COBIT 4.1 was illustrated with a process-based model subdivided into four specific domains, including:
· Planning & Organization
· Delivering and Support
· Acquiring & Implementation
· Monitoring & Evaluating
All of this is further understood under 34 processes as per specific line of responsibilities. COBIT has a high position in business frameworks and has been recognized under various international standards including ITIL, CMMI, COSO, PRINCE2, TOGAF, PMBOK, TOGAF, and ISO 27000. COBIT basically acts as a guideline integrator—merging all solutions under one umbrella.
The latest COBIT version 5 came out in April 2012 and consolidates the principles of COBIT 4.1, Risk IT Frameworks, and Val IT 2.0. This version draws reference form IT Assurance Framework (ITAF) from ISACA and the revered BMIS (Business Model for Information Security).
The various components of COBIT include:
· Framework – IT helps organizing the objectives of IT governance and bringing in the best practices in IT processes and domains, while linking business requirements.
· Process Descriptions – It is a reference model and also acts as a common language for every individual in the organization. The process descriptions include planning, building, running, and monitoring of all IT processes.
· Control Objectives – This provides a complete list of requirements that has been considered by the management for effective IT business control.
· Maturity Models – Accesses the maturity and the capability of every process while addressing the gaps.
· Management Guidelines – Helps in better assigning responsibilities, measuring performances, agreeing on common objectives and illustrating better interrelationships with every other process.
COBIT is being used by all organizations whose primary responsibilities happen to be business processes and related technologies—all organizations and business that depend on technology for reliable and relevant information. COBIT is used by both government and private sector organizations, because it helps in increasing the sensibility of IT processes.
Why is COBIT 5.0 the Most Celebrated Version?
All previous versions of COBIT faced a variety of criticism; they were thought to facilitate limited opportunities—and sometimes even adverse results. A major IT firm found that COBIT practices can actually lead to a “Hot Potato” situation wherein all stakeholders had passed on the tasks down the line. Critics maintained that COBIT 5.0 encouraged paperwork and rote rules rather than merely promoting IT governance engagements and improving accountability.
COBIT 5.0 addressed all the criticisms in a sustainable manner. It now encourages all organizations to govern and manage information in the most holistic and integrated manner. The guiding principles of COBIT 5.0 are:
1. Meeting the needs of stakeholders
2. Covering the whole enterprise from end to end
3. Application of a single integrated framework
4. Ensuring a holistic approach to business decision making
5. Separating the governance from the management
In several cases, COBIT 5.0 has been appreciated for its ability to reduce the risk of IT implementations. IT initiatives typically require quick, agile adaptations that simultaneously need regular buy-ins from stakeholders and other users. The COBIT 5.0 framework has been able to bring about a collaborative culture within the organization and this better met the needs, risks and benefits of all IT initiatives.
The Advantages of COBIT 5.0 Certification
A COBIT 5.0 Certification not only prepares professionals for the global challenges to the business IT process, but also delivers substantial amount of expertise information on:
1. IT management issues and how they can affect organizations
2. Principles of IT governance and enterprise IT while establishing the differences between management and governance
3. Accessing the ways in which COBIT 5.0 processes can help the establishment of the five basic principles along with other enablers
4. Discussing COBIT 5.0 with respect to its process reference model and goal cascade
Who Benefits from COBIT Course?
The professionals best suited for COBIT methodologies are those who are already in a position to understand the nuances of IT governance in business management practices. The course will be especially beneficial for:
· CIOs / IT Managers / IT Directors
· Risk Committee
· Process Owners
· Audit Committee Members
· COBIT 4.1 and earlier users
· IT Professionals in audit, risk, security, governance and assurance sectors
While the modern world is gearing towards an environment of several emerging technologies, including Consumerisation, Cloud Computing, Social Media, Big Data and Mobility, information and IT is easily the new currency. Technology ensues massive volumes of information chunks to be easily supported and managed. This raises the success rate of businesses, but at the same time raises other challenging and complex management and governance concerns for the security professionals, enterprise leaders, and governance specialists. New businesses demand that risk scenarios are better met with the power of information. COBIT 5.0 is the exact solution the modern businesses are asking for.
While the modern world is gearing towards an environment of several emerging technologies, including consumerization, cloud computing, social media, big data, and mobility, information and IT is easily the new currency. This raises the success rate of many organizations, but at the same time raises other challenging and complex management and governance concerns for security professionals, enterprise leaders, and governance specialists. New businesses demand that risk scenarios are better met with the power of information. COBIT 5.0 is the exact solution the modern businesses are asking for.
COBIT is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices.
The COBIT framework is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). The goal of the framework is to provide a common language for business executives to communicate with each other about goals, objectives and results. The original version, published in 1996, focused largely on auditing. The latest version, published in 2013, emphasizes the value that information governance can provide to a business' success. It also provides quite a bit of advice about enterprise risk management.
The name COBIT originally stood for "Control Objectives for Information and Related Technology," but the spelled-out version of the name was dropped in favor of the acronym in the fifth iteration of the framework.
COBIT 5 is based on five key principles for governance and management of enterprise IT:
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
With ISACA describing the benefits of COBIT as helping enterprises to:
· “Maintain high-quality information to support business decisions
· Achieve strategic goals and realize business benefits through the effective and innovative use of IT
· Achieve operational excellence through reliable, efficient application of technology
· Maintain IT-related risk at an acceptable level
· Optimize the cost of IT services and technology
· Support compliance with relevant laws, regulations, contractual agreements and policies”
Thus COBIT is now very much a multi-headed beast.
“There’s a COBIT for that”
There are numerous flavors of COBIT 5 for different corporate audiences and needs. So beyond governance it provides focused guidance on areas such as security, assurance, and risk. And practical books such as:
· Controls and Assurance in the Cloud: Using COBIT 5
· Securing Mobile Devices Using COBIT 5 for Information Security
· Transforming Cybersecurity: Using COBIT 5
· Configuration Management Using COBIT 5
Or “Vendor Management: Using COBIT 5” which provides practical advice for a variety of stakeholders involved in the vendor-management process, from the board and C-level executives to the legal department and IT. It outlines:
· Life cycle stages and stakeholders
· Good practices to manage threats and risk
· How to manage a cloud service provider
· Practical service level agreement (SLA) templates, checklists and examples (available for download in an online toolkit)
· A case study outlining the consequences of ineffective vendor management
· A high-level mapping of COBIT 5 and ITIL V3 for vendor management.
Using COBIT in Government Departments
By Panduranga Bichal, COBIT Implementer, ISO 27001 LI, ITIL Expert, PRINCE2 Practitioner, TOGAF
COBIT Focus | 30 October 2017
The government of India is focused on ensuring the effective delivery of government services to its customers who consist of citizens, businesses, tourists or anyone who may require interaction with government departments at different levels for their day-to-day activities. The government of India’s aim is to improve the lives of the nation’s citizens by doing much more than simply implementing technology.
The prime minister is addressing challenges such as sanitation, health care and urbanization through a mission approach. For example, financial inclusion, the delivery of financial services at affordable costs to vast sections of disadvantaged and low-income groups, has several missions, as illustrated in figure 1.
Figure 1—Government Schemes to Achieve Financial Inclusion
Jan Dhan Yojana
A financial inclusion mission to provide access to financial services to all sections of Indian society
To ensure that all Indian households have at least 1 bank account
Pradhan Mantri Suraksha Bima Yojana
To create a universal social security system for the poor and the underprivileged who do not have any insurance coverage
To provide an accidental death-cum-disability coverage of INR 2 lakh in the age group of 18-70 years
Pradhan Mantri Jeevan Jyoti Bima Yojana
Creating a universal social security system, targeted especially at the poor and the underprivileged who do not have any insurance coverage
To provide life insurance coverage of INR 2 lakh to Indian citizens in the age group of 18-50 years
Atal Pension Yojana
To address old-age security needs
To provide people in the age group 18-40 years a fixed monthly payment after attaining the age of 60 years
To provide capital to small/micro units to encourage entrepreneurship
To provide easy funding to 57 million small businesses
Pradhan Mantri Awas Yojana
To address the housing requirements of urban poor
To enable 20 million urban poor to own houses by the year 2022
Source: www.narendramodi.in. Reprinted with permission.
To achieve their objectives, various departments are using IT to create systems for implementing various activities, then monitoring performance to track progress and reporting back to top management who are responsible for these missions. This clearly shows that IT is playing a big role at all levels to enable officials to deliver and fulfil the objectives of these missions.
The departments have domain experts with little or no IT knowledge and have to depend largely on external consultants (IT companies) to meet their IT needs. Hence, a gap is being created between the business and IT, which results in the creation of IT assets that create little to no value for the stakeholders. The result is dissatisfied users.
The Need for IT Governance
The primary goals of IT governance are to ensure that the investments in IT generate business value and to mitigate the risk that is associated with IT. This can be done by implementing an organizational structure with well-defined roles for those responsible for information, business processes, applications and infrastructure.
IT governance should be viewed as how IT creates value that fits into the overall strategy of the organization and never be seen as a discipline on its own. In taking this approach, all stakeholders should be required to participate in the decision-making process. This creates a shared acceptance of responsibility for critical systems and ensures that IT-related decisions are made and driven by the business.
Despite efforts of the software industry to identify and adopt best practices in the development of IT projects, there is still a high rate of failure and missed objectives. Most IT projects do not meet the organization’s objectives.
A key best practice is implementing an organizational structure, including an effective governance framework, with well-defined roles and responsibilities for IT stakeholders. Such a framework ensures that IT investments are aligned and delivered in accordance with corporate objectives and strategies.
Without this framework, IT projects are more susceptible to failure. However, many organizations fail to consider the importance of IT governance. They take on IT projects without fully understanding the organization’s requirements for the project and how the project links to the organization’s objectives.
To be successful, an organization should consider all of the following factors, which are incorporated in best practices: high-level framework, independent assurance, performance management reporting, resource management, risk management, strategic alignment and value delivery.
Among the available frameworks for IT governance and management, the COBIT 5 framework is especially well suited because it permits managers to bridge the gaps between control requirements, technical challenges and business risk. COBIT empowers clear policy development and good practice for IT control all through the organization. COBIT emphasizes regulatory compliance, helps organizations to enhance the value acquired from IT, enables alignment, and simplifies application of enterprises' IT governance and control framework.
The 5 principles of COBIT 5, depicted in figure 2, help organizations to adopt IT in a different perspective than is commonly done. That is, IT is often perceived as just a cost center that provides little to no help to the organization in fulfilling its objectives.
Figure 2—COBIT 5 Principles
Source: ISACA, COBIT 5, USA, 2012
Meeting Stakeholder Needs
In the case of government departments, the main stakeholders are the government itself, other departments, citizens and the employees of the department.
The needs of all the stakeholders must be analyzed, using the COBIT 5 goals cascade. Stakeholder needs must be mapped to IT needs, which, in turn, are mapped to enabler needs. This helps convert the needs into a more practical and achievable strategy. COBIT helps to maintain a balance between the use of available resources and the realization of the benefits by keeping in consideration the related risk.
This principle focuses on governance, negotiation and decision-making about the various conflicting needs of the stakeholders.
Covering the Enterprise End-to-End
Information plays a major role in decision-making at the government level. The timely access to information helps to frame the laws more accurately, thereby delivering benefits to the citizens.
COBIT covers the use of information and IT throughout the whole of the enterprise rather than just the IT function.
COBIT performs the integration of IT governance and enterprise governance and includes all the processes used to manage information and technology.
Applying a Single Integrated Framework
The continuous changes in technology and added pressure from stakeholders and suppliers have made the lives of various government department staffs complicated. The department staff, which has limited knowledge of technology, faces the herculean task of managing and governing its information and related technology.
COBIT 5 aligns at a high level with a number of other frameworks and methodologies, such as the IT Infrastructure Library (ITIL) and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 27001 standard. It can act as a single integrated framework providing enterprise coverage and consistency, and it can be customized to meet the needs of the department.
The department staff with little IT knowledge can benefit by adopting COBIT to deliver its IT solutions as per IT industry standards.
Enabling a Holistic Approach
The higher-level management of the departments makes important decisions that have a huge impact on the department staff and the department’s beneficiaries, and that will result in meeting the government’s missions. To achieve that, management needs to have a complete view of the department, including the management and governance structures and processes.
COBIT 5 facilitates effective management and governance of IT across the department by means of enablers. Enablers are the factors driving the outcome of activities that are governance- and management-related.
Enablers can be applied across the entire department, including all the internal and external resources relevant to the governance and management of IT.
There are 5 enablers defined in COBIT 5:
· Principles, policies and frameworks—Perform day-to-day activities of translating required behavior into logical guidance
· Processes—Consist of applications required to achieve objectives that, in turn, produce outputs required to achieve IT-related goals
· Organizational structures—Responsible for making informed decisions in an organization
· Information—The key product of the enterprise itself; keeps the enterprise well governed and operating successfully
· People, skills and competencies—Link people with the right skills to the right tasks, and includes taking corrective steps and making corrective decisions
Separating Governance From Management
Governance and management are not the same thing. Governance says what needs to be done, while management focuses on how it will be done.
The teams handling governance and management are different. They need to demarcate their responsibilities but work in tandem to deliver on the organization’s objectives.
Governance is understanding the needs of the organization, defining the direction through prioritization and decision-making, and monitoring compliance against objectives. Management is the mechanism through which plans are created and run in line with the agreed upon objectives.
COBIT 5 clarifies that governance and management each serve different purposes, have different responsibilities, require different types of activities and need different supportive organizational structures.
COBIT 5 uses the Evaluate, Direct, and Monitor (EDM) domain for governance, and plan-build-run-monitor (PBRM) processes for management.
Governance (or EDM) ensures that the needs of the stakeholders are evaluated by identifying and agreeing on objectives to be achieved, an activity that is directed by prioritization and is monitored for performance against objectives. Management (or PBRM) ensures monitoring of the activities and confirms that they are in alignment with those described in the governance set.
COBIT can be implemented in every organization, corporate or government, to help improve IT performance. Its flexibility is because it can be customized to the needs of the organization. It starts from understanding stakeholder needs and business challenges and then utilizing the goals cascade guidelines (enterprise goals to IT goals to enabler goals). This process is not only important, but also extremely helpful and productive. It is always critical to gain senior management buy-in by showing the business benefit of using the COBIT framework.
One of the keys to successful implementation is choosing the required controls (key practices) rather than blindly following the framework and implementing the process. Ensuring that roles and responsibilities within an organization are clearly defined and shared with the team (using the responsible, accountable, consulted, informed [RACI] charts) is also critical. Dividing the improvement project into small phases helps keep the project going while the organization continues to reap the benefits, and ISACA’s COBIT 5 Implementation can be used to assist with this.
The process of adopting the COBIT framework is well supported by a number of guides from ISACA, but one should not hesitate to seek help from experts. It is important to focus more on people than on documentation. Documentation is not implementation. It is about people and educating them to behave in a new way.