What is COBIT ?

COBIT is a framework created by ISACA for information technology (IT) management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT focuses on improving IT governance in organizations and provides a framework to manage and control IT activities and supports five requirements for a control framework. Why cobit framework? For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by

 Making a link to the business requirements

Organizing IT activities into a generally accepted process model

Identifying the major IT resources to be leveraged Defining the management control objectives to be considered COBIT 4.1

COBIT is the generally accepted internal control framework for IT.

The COBIT products have been organized into three levels designed to support: Executive management and boards Business and IT management Governance, assurance, control and security professionals

BENEFITS
The benefits of implementing COBIT as a governance framework over IT include: Better alignment, based on a business focus A view, understandable to management, of what IT does Clear ownership and responsibilities, based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders, based on a common language Fulfillment of the COSO requirements for the IT control environment

Need

COBIT FRAMEWORK

A control framework for IT governance defines the reasons IT governance is needed, the stakeholders and what it needs to accomplish Why? In particular, top management needs to know if information is being managed by the enterprise so that it is: Likely to achieve its objectives Resilient enough to learn and adapt judiciously managing the risks it faces Appropriately recognizing opportunities and acting upon them

Who need?
Stakeholders within the enterprise who have an interest in generating value from IT investments Internal and external stakeholders who provide IT services Internal and external stakeholders who have a control/risk responsibility

How cobit meets the need?

The COBIT framework was characteristics of being business-focused process-oriented controls-based and measurement-driven. created with the main

BUSINESS-FOCUSED
It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners.

COBITS INFORMATION CRITERIA

To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information criteria are defined as follows 1. Effectiveness 2. Efficiency 3. Confidentiality 4. Availability 5. Compliance 6. Reliability

BUSINESS GOALS AND IT GOALS

Every enterprise uses IT to enable business initiatives, and these can be represented as business goals for IT. If IT is to successfully deliver services to support the enterprises strategy, there should be a clear ownership and direction of the requirements by the business (the customer) and a clear understanding of what needs to be delivered, and how, by IT (the provider) IT RESOURCES The IT resources identified in COBIT can be defined as follows: Applications are the automated user systems and manual procedures that process the information.

 Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business. Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.

PROCESS-ORIENTED
COBIT defines IT activities in a generic process model within four domains. Plan and Organize (PO) : Provides direction to solution delivery (AI) and service delivery (DS) Acquire and Implement (AI) : Provides the solutions and passes them to be turned into services Deliver and Support (DS) : Receives the solutions and makes them usable for end users Monitor and Evaluate (ME) : Monitors all processes to ensure that the direction provided is followed

CONTROLS-BASED
COBIT defines control objectives for all 34 processes, as well as overarching process and application controls. PROCESSES NEED CONTROLS Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved undesired events will be prevented or detected and corrected. The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number

 Each COBIT process has generic control requirements that are identified by PCn,for process control number. PC1 Process Goals and Objectives PC2 Process Ownership PC3 Process Repeatability PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement

IT GENERAL CONTROLS AND APPLICATION CONTROLS General controls are controls embedded in IT processes and services. Examples include: Systems development Change management Security Computer operations Controls embedded in business process applications are commonly referred to as application controls. Examples include: Completeness Accuracy Validity Authorization Segregation of duties

 The following list provides a recommended set of application control objectives. They are identified by ACn, for application control number. AC1 Source Data Preparation and Authorization-by qualified personnel AC2 Source Data Collection and Entry-by qualified staff AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling-in an authorized manner . AC6 Transaction Authentication and Integrity

MEASUREMENT -DRIVEN
Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement. COBIT deals with these issues by providing: Maturity models to enable benchmarking and identification of necessary capability improvements Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles Activity goals for enabling effective process performance

COBIT CASE STUDY

- SUN MICROSYSTEMS

Sun Microsystems
A leading provider of industrial strength hardware ,software and services . No. of employees30000+

Countries100 around the world

Suns IT department includes supporting 600 applications , 6 data center servers , 600 TB of data ,4 million internal webpages and 5 million e-mails per day .

Abstract
Suns IT department sought the use of a common framework o View and Measure o ITs alignment and contribution

o to its overall business strategy .

COBIT was recommended by Suns CIO . COBIT enhanced the process improvement work with limited resources .

Sun IT in 2004 Organizational Structure of Sun IT

 Covers strategy-architecture-technological direction .

Organizes business system from development integration

deployment of system . Business systems demand creation systems , engineering and fulfillment systems . IT Service Mgmt. focus on defining processes ,standards and tools which bridge the development and the service delivery worlds . IT Application Support & Operations focus on service support and delivery . IT Governance - focus on budget and monitoring activities .

Issues Faced
Increased pressure from the boards audit committee to demonstrate, in a quantifiable way, that it was working on the right things in the right way, that the work was being done

well and that it was adding value to the company

Evaluating its internal control framework related to the US Sarbanes-Oxley (SOX) Act of 2002 and the increasing awareness of the value of a broad internal control framework

 Identifying core vs. noncore activities, as outsourcing was more seriously explored as an option to focus on core competencies and to reduce costs Re-evaluating the IT organizations internal structure and alignment to be sure all areas are covered without unwanted redundancy

Suns Organizational View

IT staff understood the value of using a COBIT framework CIO recommended & approved COBIT Suns culture built on innovation and contrarian thinking .

Implementation To build acceptance and adoption of various

elements of COBIT .

Suns IT Dept. has to answer Qns in order to implement COBIT

How should Sun leverage the new awareness of the need for

adequate internal controls among IT people gained through the SOX

compliance effort? How should Sun demonstrate that a common framework, such as COBIT, complements rather than displaces existing process improvement methods? How should Sun identify and evaluate core vs. noncore IT activities? How should Sun ensure alignment of the organizations internal IT

organizational charters?

Reasons for resistance among IT Executive support

First, the organization had not done a thorough job at helping them understand what COBIT is and, more specifically, how it could add

value.
Second, only 18 to 24 months earlier, the company had significantly transformed the Sun IT organization, moving from a distributed approach with an IT group for each business unit to one unified Sun IT for one Sun.

This facilitated the creation and institutionalization of common standardized processes. Sun embraced Sigma, the IT

Infrastructure Library (ITIL) and other process improvement

methods. Third , Even those who were open-minded about using COBIT expressed concerns about the potential resource impact. Resources were already stretched thin, and the organization knew additional resources would not be available. Fourth , organization had begun intensive preparation for SOX

IT internal control framework

Existing controls financial reporting related controls The organizations general controls cover 22 processes with 194 controls and the number grows to 1,114. The application controls cover approximately 125 applications

with seven general categories of controls .

They are Data security classification ,System-granted access control ,Role-based segregation of duties ,Event-driven authorizations , Data validation , Interfaces and Batch processing

Factors Influencing Adoption and Acceptance of COBIT

The introduction of COBIT made Sun to view the value of having a common framework that described IT related work in an organization.

Sun IT/COBIT Activities Listing

Sun IT/COBIT Activities Listing maps Sun IT processes and activities to COBIT. monitor and evaluate.png Benefit o extremely valuable when a cross-organizational team was asked to review the alignment of the internal IT organizations. o redundancies, gaps and joint activities were called out

COBIT Domain: Plan and Organize (PO)

provides a high-level view of the revised listing. This listing covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. This mapping was developed by the organizations IT executives and senior management .(proven) did not eliminate concerns about resources constraints plan & organize1.bmp plan & organize 2.bmp

Merged Sarbanes Oxley / COBIT Assessment Process

Decisions expansion of SOX-spawned internal controls framework under the consideration of resource constraint and the experience gained through SOX compliance effort . Used Sigma Methodology was used to ensure that the views of control assessment process participants and key stakeholders were taken into account. Result IT compliance framework that has two components: 1)a formal internal control framework for SOX 2)a less formal component based in part on COBIT process maturity model assessments.

End-to-End elements

Element:Establish Scope of IT Compliance Framework

It is the part of the process where the organization moved beyond simply meeting SOX objectives to embracing COBIT more fully. STEPS: 1. Map Sun IT processes to COBIT framework. 2. Map SOX controls to Sun IT processes and identify gaps. 3. Assess Sun IT process maturity using COBIT. 4. Assess risks associated with gaps. 5. Assess costs and ease to implement controls that bridge gaps. 6. Assess business benefit of enforcing the controls. 7. Prioritize work (based on previous steps). 8. Obtain management decision on inclusion in formal internal control framework.

Example- Compliance Framework Process Assessment Workshop

organizations compliance framework process assessment worksheet. It is meant to be used in a 90-minute facilitated session with process experts and the IT executive who owns the process to give them a high-level subjective assessment of the process. example.png The elements in the assessment worksheet are based on feedback from senior IT management and reflect the key data they felt were needed to make an informed decision on inclusion of a process in the formal controls framework.

Example-compliance framework process assessment summary

It includes maturity model assessment results in a radar-style chart. The cost element on the four-quadrant chart is a composite of the cost and ease to implement components of the assessment worksheet. summary.png

 The organization set out to build on that momentum with a threepronged approach: 1. Get the word out in a meaningful way. The organization is linking COBIT presentations to specific events whenever possible to increase the relevance of the information. It is also participating in presentations to targeted audiences with material customized to their specific interests. 2. Demonstrate links among COBIT and process refinement methodologies that the organization has adopted.

Steps to Maintain Momentum

Example 1
The organization has an internal product called Helios that is part service catalogue and part configuration management database. Its development was influenced by the ITIL service level management and configuration management processes. It shows graphically that the COBIT Deliver and Support domain provides the generic what is to be done with suggested measures ITIL provides the generic how it should be done, and the Helios product provides the specific implementation.

 Another way the organization shows the linkage is overlaying its major process/activity names on a one-page representation of the COBIT framework. This has proven to be a powerful way to help people quickly see how COBIT is more inclusive and serves a different purpose than process improvement methods.

Example 2

CONCLUSION
Implementing COBIT at Sun Microsystems has been possible because senior IT management was open-minded about using it in specific situations where the value was absolutely clear. Senior managements growing use and acceptance of COBIT is filtering throughout the organization and encouraging others to look at how COBIT's components can add value to their IT work.

REFERENCES
COBIT4.0.pdf http://en.wikipedia.org/wiki/COBIT http://www.isaca.org/KnowledgeCenter/COBIT/Pages/Overview.aspx http://www.isaca.org/KnowledgeCenter/cobit/Pages/Sun-Microsystems.aspx