Cobit As A Risk Management Framework Information Technology Essay

Organization can maintain their standard and develop a system of IT governance by using Control Objectives for Information and related Technology (COBIT) as a framework methodology. In today industrial world many use COBIT n order to develop a systematic means to meet compliance laws.

COBIT is a collection of good practices and processes for IT governance, so it has been applied to software process, IT service management and security governance. While COBIT is too general-purpose, it requires deep expert knowledge for the implementation of each application. Therefore, this work presents the framework and its application to development of information systems. The framework effectively employs the COBIT-based security management and solves various subjects of security in the development.

Keywords

Risk Management, COBIT, Enterprise Project, Security Management

Introduction

Nowadays many organisations are using COBIT as a standard in a different range all around the world. COBIT is debatably the most suitable control framework for helping organisations to ensure association between their business goals and use of Information Technology (IT). This framework emphasis on business needs which should be met by control objective. This report is based on the common specification of COBIT and overview of how it supports IT governance, so we will look at effective and efficient alignment between IT and business goals which is fundamental of IT governance.

IT governance can be defined as, the structure of processes to develop, control and direct Information System (IS) or IT resources so that to reach the enterprise’s goals.[2] It also has been known as a vital success factor in deploying information through the relevance technology for achieving organization success. Gartner Group find out that large organization spend over 50% of their investment on IT, so this finding show the significance of IT governance.

The main purpose of COBIT is to supply management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and realizing and managing the risks related with IT.

COBIT Framework

COBIT is the worldwide accepted standard which defines areas and unique controls for IT governance, informatics and related IT processes. COBIT framework authors are non-profit organization ISACA (Information System Audit and Control Association) and ITGI (IT Governance Institute). COBIT joins IT goals and business, to prepare the ability to monitor the maturity of the information metric system. COBIT gives management the ability of optimizing IT resources such as applications, infrastructure, information and people.[6]

Approximately all IT and IS auditors universal use COBIT for managing information system reviews and risk management engagements. This gives an symptom of the usability and wide spread acceptance of COBIT standard and its recommendations towards information systems and technologies.

COBIT was created by the Information Systems Audit and Control Association (ISACA) and the ITGI (IT Governance Institute) in 1996 for IT governance and control. Five editions have been published October 2010. COBIT version 5 has recently been released in a design exposure draft. This draft version only outlines the high level design of the COBIT 5 which will integrate the COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw specifically from the Business Model for Information Security (BMIS) and Information Technology Assurance Framework (ITAF). But in this work we will review COBIT release, 4.1, consists of control objectives and application controls, improved process controls and an enhanced explanation of performance management which is associated to Enterprise Architecture.[5]

COBIT presents a framework that map directly to value delivery, resource management, risk management, strategic alignment, and performance measurement which are the core of IT governance focus areas.

Read also  Review of Data Duplication Methods

The framework attention on what should be done, rather than providing prescriptive guidelines on how to attain objectives. For example, as part of planning and organizing (PO), COBIT recommends the implementation of project management frameworks and supports. Normally, this would lead to the set-up of a PMO and implementation of a project management methodology such as PMBOK or PRINCE2.

COBIT Domains

COBIT consists of 34 key business control processes describing each process model of maturity. It contains over 300 detailed IT controls. The primary control objectives are divided into four domains which are shown in Figure 1:

Figure 1: COBIT domains and its process flow

IT resources are controlled by these IT processes to reach IT goals that respond to business requirements. While we cannot explain and list each process, so we will summarize what each domain involves in governing IT and then briefly and effectively cover what IT resources and business requirements are. One of the greatest ways of reviewing each domain is to consider a COBIT lifecycle of four domains. In this lifecycle the origin is the business requirements in terms of not only confidentiality, integrity and availability but also effectiveness, efficiency, compliance and reliability. Business requirements obtain inputs from business objectives (including governance objectives) in one direction outside the domain lifecycle and supply requirement changes to these objectives in the opposite way.[5]

Planning and Organization – PO, includes processes for planning and design organization in the function of achievement of business goals of the organization. The Plan and Organize domain covers the use of information and technology and how best it can be used in a company to help achieve the company’s goals and objectives. This domain includes risk assessment. The IT processes contained in the Planning and Organization domain are listed below:

Acquisition and Implementation – AI, includes processes related to the acquisition and development of IT solutions and manages changes of these solutions throughout the time. This domain also refers to the development of a maintenance plan that a company should accept in order to extend the life of an IT system and its components. The IT processes contained in the Acquire and Implement domain are listed below:

Delivery and Support – DS, includes the processes that affect the actual delivery of IT services to organization. This domain includes the processes for managing problems and incidents; manage security and other processes that affect the performance of IT. It covers areas such as the execution of the applications within the IT system and its results as well as the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following lists are shown the IT processes contained in the Deliver and Support domain.

Monitoring and Evaluation – ME, includes processes for regular review of IT processes and their successfulness in the function of achievement of relevant IT controls objectives. This domain also includes the issue of an independent measurement of the effectiveness of IT system in its ability to meet business objectives and the business’s control processes is evaluated by internal and external auditors. The IT processes of the Monitor and Evaluate domain are listed below:

ME1: Monitor and Evaluate IT Processes

ME2: Monitor and Evaluate Internal Control

Read also  Challenges In Automating Tanzania Academic Library Information Technology Essay

ME3: Ensure Regulatory Compliance

ME4: Provide IT Governance

COBIT Enterprise Architecture

An organisation to be successful in delivering IT services against business requirements; an internal control system or control framework should situated properly by an IT management. The COBIT deploys this cooperation with following activities:

Making a link to business requirements

Providing an set of Business Processes for IT Management

Identifying the major IT resources to be leveraged – These are modeled in an Enterprise Architecture repository.

Defining the management control objectives to be considered for each process

To satisfy business objectives, information should match to specific control criteria, which COBIT refers to as business requirements for information. Based on the wide quality, confidence security requirements, seven distinct information criteria are defined as follows: [7, 8, 9]

Effectiveness concerns with information being related and applicable to the business process besides timely delivering, correct, consistent and usable manner.

Efficiency concerns the condition of information through the best use of resources.

Confidentiality deals with the protection of sensitive information from unauthorized exposure.

Integrity concerns the accuracy and completeness of information also its legality according to business values and expectations.

Figure 2: COBIT domains and its process flow

Availability relates to information being available when required by the business process now and in future. This criterion also concerns the safeguarding of necessary resources and associated capabilities.

Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.

Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.

Summary of IT resources are managed by IT processes to achieve goals that meet the business requirements of organizations. This basic principle of COBIT framework is illustrated in Figure 2. The identified IT resources in COBIT can be defined as follows [5]:

Applications are the automated user systems and manual procedures that process the information.

Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business.

Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.

People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.

In order to ensure that the business requirements for information are met, adequate control measures need to be defined, implemented and monitored over these resources. How then can organizations satisfy themselves that the information they get exhibits the characteristics they need? The Figure 3 illustrates this concept

Figure 3: Overview of COBIT Framework

IT Governance Focus Areas

Other way of looking at COBIT is to look at how diverse elements of the COBIT framework map onto the IT governance focus areas: strategic alignment, value delivery, risk management, resource management and performance measurement. The elements to consider are goals, metrics, practices and maturity models.

Primary enablers for value delivery are metrics and maturity models while the secondary enabler is practices. For risk management, practices is the primary enabler while metrics and maturity models are the secondary enabler. For example, it is more important to know what the best practices of reducing risks to acceptable accreditation level are before you apply metrics and maturity models to risk management. You need to know what different methods of risk management are (e.g., formal or abbreviated) are before you apply the metrics and maturity models. In complicate risk management, it is not feasible to determine information from the previous level of the maturity model (e.g., risk management could start with asset identification or vulnerability identification).

Read also  Organizational Diagnosis Plan Of Six Box Model Information Technology Essay

The important issues in this matter are listed as below also the overall view is illustrated in Figure 4.

Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.

Resource management is about the finest investment in, and the suitable management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.

Figure 4: Overall COBIT Framework

Risk management involves risk awareness by senior corporate officers, a clear under-standing of the enterprise’s desire for risk, understanding of compliance requirements, and clearness about the major risks to the enterprise and employing of risk management responsibilities into the organization.

Performance measurement tracks and monitors strategy implementation, resource usage, process performance, project completion and service delivery, for example, balanced scorecards that translate strategy into action to reach goals measurable behind conventional accounting.

Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on promising cost and proving the essential value of IT. All concepts are illustrated in Figure 5.

Figure 5: IT Governance Focus Area

Conclusion

The Information Technology as an important supporter for economic success in the scope of IT Governance of IT and also for the business as a crucial role in creating value from IT investments in the scope of business Governance of IT leads to appearance of Enterprise Governance of IT. So, enterprises need to establish Enterprise Governance of IT through the focused frameworks on these two scopes. Therefore, in this paper, by considering the importance of the Enterprise Governance of IT and for achieving it, we reviewed COBIT framework focused on IT processes, the definition of COBIT and Enterprise Governance of IT. We have defined processes and activities in the security management as a framework of the COBIT-based security baseline.

The recognition of risks and controls within IT should not be a separate assessment. Instead, it should be an essential part of management’s top-down, risk-based approach to recognize risks and controls and in determining evidential matter necessary to support the (control) assessment. In response to these regulations, many organizations and various individual have released guidance such as ITGI’s IT Control Objectives for Sarbanes Oxley and Control COBIT.

COBIT, ITIL, ISO 17799 and ISO 27001 are the group of most commonly used methodologies by companies in respect of IT security and IT governance. They are used parallel, which is not surprising, considering that represent best practices and experiences, which have been approved, developed and tested in companies around the world.

By choosing the COBIT framework in business processes can reduce time and increase user adoption which requires early planning. You need to ensure all the steps of the COBIT domain lifecycle are pursued through and the detailed control objectives are mapped onto the IT Governance Focus Areas.

Order Now

Order Now

Type of Paper
Subject
Deadline
Number of Pages
(275 words)