COBIT is a framework served by
ISACA for IT management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The first release of COBIT dates back in 1996, then ISACA published the current version, COBIT 5.0, in 2012.
The business orientation of COBIT consists of aligning business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business along with IT process owners.
The COBIT components include:
- Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements
- Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor.
- Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
- Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes
- Maturity models: Assess maturity and capability per process and helps to address gaps.
The Sarbanes-Oxley Act of 2002 (a.k.a SOX) strengthened COBIT’s presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ISO 27002 and ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security, it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.
With COBIT 5, ISACA introduced a framework for information security. It includes all aspects of ensuring reasonable and appropriate security for information resources. Its foundation is a set of principles upon which an organization should build and test security policies, standards, guidelines, processes, and controls.
Meeting stakeholder needs
A group of stakeholders includes any individual or group affected by the current state or future state of a process, system or policy. Failure to involve all stakeholders, including security and audit teams, usually results in less than optimum outcomes at best. Worst case outcomes include failed projects or material audit deficiencies.
Covering the enterprise end-to-end
General application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This is not just a horizontal integration. Rather, all levels of management must include information security in every business strategic and operational planning activity.
Applying a single integrated framework
Designing a complete framework includes all aspects of information storage, flow, and processing, providing a foundation for more efficient control implementation. A framework supports a holistic approach to securing an organization.
Enabling a holistic approach
As support for developing an integrated framework, it is important to see information security as a set of related components. Each component is driven by enablers and other factors affecting organization risk. COBIT 5 for Information Security provides a list of enablers and describes how they interrelate. Enablers help organizations integrate operations and security into the outcomes of all principles defined here. As always, this is done in a way to meet stakeholder requirements.
Separating governance from management
While governance and management are separate functions performed by designated teams, they must support each other. Governance defines outcomes and management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.
The COBIT 5 processes are split into governance and management "areas". These two areas contain a total of five domains and 37 processes:
1. Governance of Enterprise IT
Evaluate, Direct and Monitor (EDM) – 5 processes
- Ensure Governance Framework Setting and Maintenance
- Ensure Benefits Delivery
- Ensure Risk Optimization
- Ensure Resource Optimization
- Ensure Stakeholder Transparency
2. Management of Enterprise IT
Align, Plan and Organise (APO) – 13 processes
- Manage the IT Management Framework
- Manage Strategy
- Manage Entreprise Architecture
- Manage Innovation
- Manage Portfolio
- Manage Budget and Costs
- Manage Human Relations
- Manage Relationships
- Manage Service Agreements
- Manage Suppliers
- Manage Quality
- Manage Risk
- Manage Security
Build, Acquire and Implement (BAI) – 10 processes
- Manage Programs and Projects
- Manage Requirements Definition
- Manage Solutions Identification and Build
- Manage Availability and Capacity
- Manage Organisational Change Enablement
- Manage Changes
- Manage Changes Acceptance and Transitioning
- Manage Knowledge
- Manage Assets
- Manage Configuration
Deliver, Service and Support (DSS) – 6 processes
- Manage Operations
- Manage Service Requests and Incidents
- Manage Problems
- Manage Continuity
- Manage Security Services
- Manage Business Process Controls
Monitor, Evaluate and Assess (MEA) - 3 processes
- Monitor, Evaluate and Assess Performance and Conformance
- Monitor, Evaluate and Asses the System of Internal Control
- Evaluate and Assess Compliance with External Requirements
To summarize:
COBIT 5 for Information Security provides a comprehensive framework for integrating security into business processes. It also provides a set of enablers that, when applied, help ensure stakeholder acceptance and efficient business operation.
Organizations must integrate security into every facet of management and operations. This begins with identifying all business processes and associated stakeholders, including audit and InfoSec teams.
Individual approaches to managing security will not achieve the best overall results. A holistic approach, one that defines a complete framework used to integrate new controls or vulnerability remediation, is necessary for both security and financial efficiency and effectiveness.