The IT Governance Institute® is pleased to offer you this complimentary download of COBIT®.COBIT provides good practices for the management of IT processes in a manageable and logical structure,meeting the multiple needs of enterprise management by bridging the gaps between business risks, technicalissues, control needs and performance measurement requirements. If you believe as we do, that COBIT enablesthe development of clear policy and good practices for IT control throughout your organisation, we invite you tosupport ongoing COBIT research and development.There are two ways in which you may express your support: (1) Purchase COBIT through the association(ISACA) Bookstore (please see the following pages for order form and association membership application.Association members are able to purchase COBIT at a significant discount); (2) Make a generous donation tothe IT Governance Institute, which conducts research and authors COBIT.The complete COBIT package consists of all six publications, an ASCII text diskette, four COBIT implementation/orientation Microsoft® PowerPoint® presentations and a CD-ROM. A brief overview of each component isprovided below. Thank you for your interest in and support of COBIT!For additional information about the IT Governance Institute, visit www.itgi.org.Management Guidelines Control ObjectivesTo ensure a successful enterprise, you must effectively manage the The key to maintaining profitability in a technologically changingunion between business processes and information systems. The environment is how well you maintain control. COBIT’s Controlnew Management Guidelines is composed of maturity models, Objectives provides the critical insight needed to delineate a clearcritical success factors, key goal indicators and key performance policy and good practice for IT controls. Included are the state-indicators. These Management Guidelines will help answer the ments of desired results or purposes to be achieved byquestions of immediate concern to all those who have a stake in implementing the 318 specific, detailed control objectivesenterprise success. throughout the 34 high-level control objectives.Executive Summary Implementation Tool SetSound business decisions are based on timely, relevant and con- The Implementation Tool Set contains management awareness andcise information. Specifically designed for time-pressed senior IT control diagnostics, implementation guide, frequently askedexecutives and managers, the COBIT Executive Summary questions, case studies from organizations currently using COBITexplains COBIT’s key concepts and principles. and slide presentations that can be used to introduce COBIT into organizations. The tool set is designed to facilitate the implementa-Framework tion of COBIT, relate lessons learned from organizations thatA successful organization is built on a solid framework of data quickly and successfully applied COBIT in their work environ-and information. The Framework explains how IT processes ments and assist management in choosing implementation options.deliver the information that the business needs to achieve itsobjectives. This delivery is controlled through 34 high-level CD-ROMcontrol objectives, one for each IT process, contained in the The CD-ROM, which contains all of COBIT, is published as afour domains. The Framework identifies which of the seven Folio infobase. The material is accessed using Folio Views®, whichinformation criteria (effectiveness, efficiency, confidentiality, is a high-performance, information retrieval software tool. Accessintegrity, availability, compliance and reliability), as well as to COBIT’s text and graphics is now easier than ever, with flexiblewhich IT resources (people, applications, technology, facilities keyword searching and built-in index links (optional purchase).and data) are important for the IT processes to fully supportthe business objective. A network version (multi-user) of COBIT 3rd Edition is available. It is compatible with Microsoft Windows NT/2000 andAudit Guidelines Novell NetWare environments. Contact the ISACA Bookstore forAnalyze, assess, interpret, react, implement. To achieve your pricing and availability.desired goals and objectives you must constantly and consistentlyaudit your procedures. Audit Guidelines outlines and suggests See order form, donation information and membershipactual activities to be performed corresponding to each of the 34 application on the following pages.high-level IT control objectives, while substantiating the risk ofcontrol objectives not being met. We invite your comments and suggestions regarding COBIT. Please visit www.isaca.org/cobitinput.
ITGI Contribution FormContributor: ______________________________________________ Contribution amount (US $): $25 (donor) $100 (Silver) $250 (Gold)Address:_________________________________________________ $500 (Platinum) Other US $_______________________________________________________________ Check enclosed payable in US dollars to ITGICity_________________________State/Province ________________ Charge my: VISA MasterCard American Express Diners ClubZip/Postal Code ________________Country ____________________ Card number ____________________________Exp. Date _________Remitted by: _____________________________________________ Name of cardholder: _______________________________________Phone: __________________________________________________ Signature of cardholder: ____________________________________E-mail: __________________________________________________ Complete card billing address if different from address on left ________________________________________________________ ________________________________________________________For information on the institute andcontribution benefits see www.itgi.org ________________________________________________________ U.S. Tax ID number: 95-3080691Fax your credit card contribution to ITGI at +1.847.253.1443, or mail your contribution to: ITGI, 135 S. LaSalle Street, Department 1055, Chicago, IL 60674-1055 USA Direct any questions to Scott Artman at +1.847.253.1545, ext. 459, or firstname.lastname@example.org. Thank you for supporting COBIT!Recent ITGI Research Projects Security Provisioning: Risks of Customer Relationship ManagementManaging Access in Extended Enterprises, ISSP A Security, control and Audit Approach, ISCR Member - $20 Nonmember - $30 e-Commerce Security Member - $75 Nonmember - $85 Public Key Infrastructure: Good Practices for Secure Communications, TRS-2 Member - $35 Nonmember - $50 e-Commerce Security e-Commerce Security Securing the Network Perimeter, TRS-3 Business Continuity Planning, IBCP Member - $35 Nonmember - $50 Member - $35 Nonmember - $50 For additional information on these publications and others offered through the Bookstore, please visit www.isaca.org/bookstore.
Please complete both sides U.S. Federal I.D. No. 23-7067291 www.isaca.org MEMBERSHIP APPLICATION email@example.com □ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date ____________________________ MONTH/DAY/YEAR Name_______________________________________________________________________________________________________ FIRST MIDDLE LAST/FAMILY ____________________________________________________________________________________________________________ PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE Residence address ____________________________________________________________________________________________ STREET ____________________________________________________________________________________________ CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP Residence phone _____________________________________ Residence facsimile ____________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER Company name ____________________________________________________________________________________________ Business address ____________________________________________________________________________________________ STREET ____________________________________________________________________________________________ CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP Business phone _____________________________________ Business facsimile _____________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER E-mail ________________________________________________________ Send mail to Form of Membership requested s I do not want to be included on How did you hear about ISACA? s Home s Chapter Number (see reverse)________________ a mailing list, other than that for 1 s Friend/Coworker s Business s Member at large (no chapter within 50 miles/80 km) Association mailings. 2 s Employer s Student (must be verified as full-time) 3 s Internet Search 6 s Local Chapter s Retired (no longer seeking employment) 4 s IS Control Journal 7 s CISA Program 5 s Other Publication 8 s Direct Mail 9 s Educational Event Current field of employment (check one) Level of education achieved Work experience 1 s Financial (indicate degree achieved, or number of years of (check the number of years of Information 2 s Banking university education if degree not obtained) Systems work experience) 3 s Insurance 1s One year or less 7 s AS 1 s No experience 4 s 8-9 years 4 s Transportation 2s Two years 8s BS/BA 2 s 1-3 years 5 s 10-13 years 5 s Retail & Wholesale 3s Three years 9s MS/MBA/Masters 3 s 4-7 years 6 s 14 years or more 6 s Government/National 4s Four years 10 s Ph.D. 7 s Government/State/Local 5s Five years 99 s Other Current professional activity (check one) 8 s Consulting 6s Six years or more 1 ______________ s CEO 9 s Education/Student 2 s CFO10 s Education/Instructor Certifications obtained (other than CISA) 3 s CIO/IS Director11 s Public Accounting 1 s CISM 8 s FCA 4 s Audit Director/General Auditor12 s Manufacturing 2 s CPA 9 s CFE 5 s IS Security Director13 s Mining/Construction/Petroleum 3 s CA 10 s MA 6 s IS Audit Manager14 s Utilities 4 s CIA 11 s FCPA 7 s IS Security Manager15 s Other Service Industry 5 s CBA 12 s CFSA 8 s IS Manager16 s Law 6 s CCP 13 s CISSP 9 s IS Auditor17 s Health Care 7 s CSP 99 s Other __________ 10 s External Audit Partner/Manager99 s Other 11 s External Auditor 12 s Internal Auditor Date of Birth________________________ 13 s IS Security Staff MONTH/DAY/YEAR 14 s IS Consultant 15 s IS Vendor/Supplier 16 s IS Educator/Student 99 s Other ____________________________Payment due By applying for membership in the Information Systems Audit and Control• Association dues ✝ $ 120.00 (US) Association, members agree to hold the association and the IT Governance• Chapter dues (see following page) $ _____ (US) Institute, their officers, directors, agents, trustees, and employees and members,• New member processing fee $ 30.00 (US)* harmless for all acts or failures to act while carrying out the purpose of the association and the institute as set forth in their respective bylaws, and they PLEASE PAY THIS TOTAL $ _____ (US) certify that they will abide by the association’s Code of Professional Ethics✝ For student membership information please visit www.isaca.org/student (www.isaca.org/ethics).* Membership dues consist of association dues, chapter dues and new member Initial payment entitles new members to membership beginning the first day of processing fee. the month following the date payment is received by International Headquarters through the end of that year. No rebate of dues is available upon early resignationMethod of payment of membership.s Check payable in US dollars, drawn on US bank Contributions, dues or gifts to the Information Systems Audit and Controls Send invoice (Applications cannot be processed until dues payment is received.) Association are not tax deductible as charitable contributions in the United States.s MasterCard s VISA s American Express s Diners Club However, they may be tax deductible as ordinary and necessary businessAll payments by credit card will be processed in US dollars expenses. Membership dues allocated to a 1-year subscription to the IS Control Journal areACCT # ____________________________________________ as follows: $45 for US members, $60 for non-US members. This amount is notPrint name of cardholder _______________________________ deductible from dues.Expiration date _______________________________________ Make checks payable to: MONTH/YEAR Information Systems Audit and Control Association Mail your application and check to:Signature ___________________________________________ Information Systems Audit and Control AssociationCardholder billing address if different than address provided above: 135 S. LaSalle, Dept. 1055 Chicago, IL 60674-1055 USA___________________________________________________ Phone: +1.847.253.1545 x470___________________________________________________ Fax: +1.847.253.1443
U.S. dollar amounts listed below are for local chapter dues. For current chapter dues, or if the amount is not listed below, please While correct at the time of printing, chapter dues are subject to visit the web site www.isaca.org/chapdues or contact your local change without notice. Please include the appropriate chapter dues chapter at www.isaca.org/chapters. amount with your remittance.Chapter Chapter Chapter Chapter Chapter Chapter Chapter ChapterName Number Dues Name Number Dues Name Number Dues Name Number DuesASIA Kenya 158 $40 New England (Boston, MA) 18 $30 Boise, ID 42 $30Hong Kong 64 $40 Latvia 139 $10 New Jersey (Newark) 30 $40 Willamette Valley, OR 50 $30Bangalore, India 138 $15 Lithuania 180 $20 Central New York 29 $0 (Portland)Cochin, India 176 $10 Netherlands 97 $50 (Syracuse) Utah (Salt Lake City) 04 $30Coimbatore, India 155 $10 Lagos, Nigeria 149 $20 Hudson Valley, NY 120 $0 Mt. Rainier, WA (Olympia) 129 $20Hyderabad, India 164 $17 Oslo, Norway 74 $50 (Albany) Puget Sound, WA (Seattle) 35 $25Kolkata, India 165 ✳ Warsaw, Poland 151 $30 New York Metropolitan 10 $50Madras, India (Chennai) 99 $10 Moscow, Russia 167 $0 Western New York 46 $30 OCEANIAMumbai, India 145 ✳ Romania 172 $50 (Buffalo) Adelaide, Australia 68 $0New Delhi, India 140 $10 Slovenia 137 $50 Harrisburg, PA 45 $25 Brisbane, Australia 44 $16Pune, India 159 $17 Slovensko 160 $40 Lehigh Valley 122 $35 Canberra, Australia 92 $15Indonesia 123 ✳ South Africa 130 $35 (Allentown, PA) Melbourne, Australia 47 $25Nagoya, Japan 118 $130 Barcelona, Spain 171 $110 Philadelphia, PA 06 $40 Perth, Australia 63 $5Osaka, Japan 103 $10 Valencia, Spain 182 $25 Pittsburgh, PA 13 $20 Sydney, Australia 17 $30Tokyo, Japan 89 $120 Sweden 88 $45 National Capital Area, DC 05 $40 Auckland, New Zealand 84 $30Korea 107 $30 Switzerland 116 $35 Wellington, New Zealand 73 $22Lebanon 181 $35 Tanzania 174 $40 Southeastern United States Papua New Guinea 152 $0Malaysia 93 $10 London, UK 60 $80 North Alabama (Birmingham) 65 $30Muscat, Oman 168 $40 Central UK 132 $55 Jacksonville, FL 58 $30Karachi, Pakistan 148 $15 Northern England 111 $50 Central Florida (Orlando) 67 $30 To receive your copy of theManila, Philippines 136 $0 Scottish, UK 175 $45 South Florida (Miami) 33 $40 Information Systems Control Journal, West Florida (Tampa) 41 $35 please completeJeddah, Saudi Arabia 163 $0 NORTH AMERICA Atlanta, GA 39 $35 the following subscriberRiyadh, Saudi Arabia 154 $0 information:Singapore 70 $10 Canada Charlotte, NC 51 $35Sri Lanka 141 $15 Calgary, AB 121 $0 Research Triangle 59 $25 Size of organization Edmonton, AB 131 $25 (at your primary place of business)Taiwan 142 $50 (Raleigh, NC) Vancouver, BC 25 $20 Piedmont/Triad 128 $30 ➀ s Fewer than 50 employeesBangkok, Thailand 109 $10 ➁ s 50-100 employessUAE 150 $10 Victoria, BC 100 $0 (Winston-Salem, NC) ➂ s 101-500 employees Winnipeg, MB 72 $15 Greenville, SC 54 $30 ➃ s More than 500 employeesCENTRAL/SOUTH AMERICA Nova Scotia 105 $0 Memphis, TN 48 $45 Size of your professional audit staffBuenos Aires, Argentina 124 $35 Ottawa Valley, ON 32 $10 Middle Tennessee 102 $45 (local office)Mendoza, Argentina 144 ✳ Toronto, ON 21 $25 (Nashville) ➀ s 1 individualSão Paulo, Brazil 166 $25 Montreal, PQ 36 $20 Virginia (Richmond) 22 $30 ➁ s 2-5 individualsLaPaz, Bolivia 173 $25 Quebec City, PQ 91 $35 ➂ s 6-10 individualsSantiago de Chile 135 $40 Southwestern United States ➃ s 11-25 individualsBogotá, Colombia 126 $50 Islands Central Arkansas 82 $60 ➄ s More than 25 individualsSan José, Costa Rica 31 $33 Bermuda 147 $0 (Little Rock) Your level of purchasing authorityQuito, Ecuador 179 $15 Trinidad & Tobago 106 $25 Central Mississippi 161 $0 ➀ s Recommend products/servicesMérida, Yucatán, México 101 $50 (Jackson) ➁ s Approve purchaseMexico City, México 14 $65 Midwestern United States Denver, CO 16 $40 ➂ s Recommend and approveMonterrey, México 80 $65 Chicago, IL 02 $50 Greater Kansas City, KS 87 $0 purchasePanamá 94 $25 Illini (Springfield, IL) 77 $30 Baton Rouge, LA 85 $25 Education courses attendedLima, Perú 146 $15 Central Indiana 56 $30 Greater New Orleans, LA 61 $20 annually (check one)Puerto Rico 86 $30 (Indianapolis) St. Louis, MO 11 $25 ➀ s NoneMontevideo, Uruguay 133 $100 Michiana (South Bend, IN) 127 $25 New Mexico (Albuquerque) 83 $25 ➁s1 Iowa (Des Moines) 110 $25 Central Oklahoma (OK City) 49 $30 ➂ s 2-3Venezuela 113 $25 Kentuckiana (Louisville, KY) 37 $30 Tulsa, OK 34 $25 ➃ s 4-5 ➄ s More than 5EUROPE/AFRICA Detroit, MI 08 $35 Austin, TX 20 $25Austria 157 $45 Western Michigan 38 $25 Greater Houston Area, TX 09 $40 Conferences attended annuallyBelux 143 $48 (Grand Rapids) North Texas (Dallas) 12 $30 (check one) Minnesota (Minneapolis) 07 $30 San Antonio/So. Texas 81 $25 ➀ s None(Belgium and Luxembourg) ➁s1Croatia 170 $50 Omaha, NE 23 $30 ➂ s 2-3Czech Republic 153 $110 Central Ohio (Columbus) 27 $25 Western United States ➃ s 4-5Denmark 96 ✳ Greater Cincinnati, OH 03 $20 Anchorage, AK 177 $20 ➄ s More than 5Estonian 162 $10 Northeast Ohio (Cleveland) 26 $30 Phoenix, AZ 53 $30 Primary reason for joining theFinland 115 $70 Kettle Moraine, WI 57 $25 Los Angeles, CA 01 $25 association (check one)Paris, France 75 ✳ (Milwaukee) Orange County, CA 79 $30 ➀ s Discounts on associationGerman 104 $80 Quad Cities 169 $0 (Anaheim) products and servicesAthens, Greece 134 $20 Sacramento, CA 76 $20 ➁ s Subscription to IS Control JournalBudapest, Hungary 125 $60 Northeastern United States San Francisco, CA 15 $45 ➂ s Professional advancement/Irish 156 $40 Greater Hartford, CT 28 $40 San Diego, CA 19 $25 certification Silicon Valley, CA 62 $25 ➃ s Access to research, publications,Tel-Aviv, Israel 40 ✳ (Southern New England) Central Maryland 24 $25 and educationMilano, Italy 43 $53 (Sunnyvale) 99 s Other___________________Rome, Italy 178 $26 (Baltimore) Hawaii (Honolulu) 71 $30 ✳Call chapter for information
CertificationOne of the most important assets of an enterprise is its information. The integrity and reliability ofthat information and the systems that generate it are crucial to an enterprise’s success. Faced withcomplex and correspondingly ingenious cyberthreats, organizations are looking for individuals whohave the proven experience and knowledge to identify, evaluate and recommend solutions to mitigateIT system vulnerabilities. ISACA offers two certifications to meet these needs.Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM)The CISA program is designed to assess and certify individuals in the CISM is a newly created credential for security managers that pro-IS audit, control and security profession who demonstrate exception- vides executive management with the assurance that those certifiedal skill and judgment. have the expertise to provide effective security management and consulting. It is business-oriented and focused on information riskThe CISA examination content areas include: management while addressing management, design and technical• The IS audit process security issues at a conceptual level.• Management, planning and organization of IS• Technical infrastructure and operational practices The CISM credential measures expertise in the areas of:• Protection of information assets • Information security governance• Disaster recovery and business continuity • Risk management• Business application system development, acquisition, • Information security program(me) development implementation and maintenance • Information security management• Business process evaluation and risk management • Response managementTo earn the CISA designation, candidates are required to: To earn the CISM designation, information security professionals are• Successfully complete the CISA examination required to:• Adhere to the Information Systems Audit and Control Association • Successfully complete the CISM examination (ISACA) Code of Professional Ethics • Adhere to the Information Systems Audit and Control Association• Submit verified evidence of a minimum number of years of (ISACA) Code of Professional Ethics professional information systems auditing, control or security • Submit verified evidence of a minimum number of years of work experience information security experience, with a number of those years in the• Comply with the CISA continuing education program (after job analysis domains becoming certified) • Comply with the CISM continuing education program (after becoming certified) A grandfathering opportunity, available through 31 December 2003, allows information security professionals with the necessary experi- ence to apply for certification without taking the CISM exam. Being a CISA or a CISM is more than passing an examination. It demonstrates the commitment, dedication and proficiency required to excel in your profession. These certifications identify their holders as consummate professionals who maintain a competitive advantage among their peers. Earning these designations helps assure a positive reputation and distinguishes you among other candidates seeking positions in both the private and public sectors. As a member of ISACA, you have the opportunity to sit for the exams, purchase review materials and attend ISACA conferences to maintain your certifications at a substantially reduced cost. For more information on becoming a CISA or a CISM, visit the ISACA web site at www.isaca.org/certification.
® COBIT 3rd EditionControl Objectives July 2000 Released by the COBIT Steering Committee and the IT Governance InstituteTM The COBIT Mission: To research, develop, publicise and promote an authoritative, up-to-date,international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.
LATVIAAMERICAN SAMOA LEBANONARGENTINA INFORMATION SYSTEMS AUDIT AND LIECHTENSTEINARMENIAAUSTRALIA CONTROL ASSOCIATION LITHUANIA LUXEMBURGAUSTRIA MALAYSIABAHAMAS A Single International Source MALTABAHRAIN MALAWIBANGLADESH for Information Technology Controls MAURITIUSBARBADOS MEXICOBELGIUM NAMIBIABERMUDA The Information Systems Audit and • Its professional education programme NEPALBOLIVIA Control Association is a leading global offers technical and management NETHERLANDSBOTSWANA NEW GUINEABRAZIL professional organisation representing conferences on five continents, as well NEW ZEALANDBRITISH VIRGIN ISLANDS individuals in more than 100 countries as seminars worldwide to help NICARAGUACANADA NIGERIACAYMAN ISLANDS and comprising all levels of IT — professionals everywhere receive high- NORWAYCHILE executive, management, middle quality continuing education. OMANCHINA PAKISTANCOLOMBIA management and practitioner. The • Its technical publishing area provides PANAMACOSTA RICA Association is uniquely positioned to references and professional PARAGUAYCROATIA PERUCURACAO fulfil the role of a central, harmonising development materials to augment its PHILIPPINESCYPRUS source of IT control practice standards for distinguished selection of programmes POLANDCZECH REPUBLIC PORTUGALDENMARK the world over. Its strategic alliances with and services. QATARDOMINICAN REPUBLIC RUSSIA other groups in the financial, accounting,ECUADOR SAUDI ARABIAEGYPT auditing and IT professions are ensuring The Information Systems Audit and SCOTLANDEL SALVADOR SEYCHELLES an unparalleled level of integration and Control Association was formed in 1969ESTONIA SINGAPOREFAEROE ISLANDS commitment by business process owners. to meet the unique, diverse and high SLOVAK REPUBLICFIJI SLOVENIA technology needs of the burgeoning ITFINLAND SOUTH AFRICAFRANCE Association Programmes field. In an industry in which progress is SPAINGERMANY SRI LANKAGHANA and Services measured in nano-seconds, ISACA has ST. KITTSGREECE moved with agility and speed to bridge ST. LUCIA The Association’s services and programmesGUAM SWEDENGUATEMALA have earned distinction by establishing the needs of the international business SWITZERLANDHONDURAS community and the IT controls profession. TAIWAN the highest levels of excellence inHONG KONG TANZANIAHUNGARY certification, standards, professional TASMANIAICELAND For More Information THAILANDINDIA education and technical publishing. TRINIDAD & TOBAGOINDONESIA • Its certification programme (the Certified To receive additional information, you TUNISIAIRAN TURKEY Information Systems Auditor ) is the TM may telephone (+1.847.253.1545), sendIRELAND UGANDAISRAEL only global designation throughout the an e-mail (firstname.lastname@example.org) or visit UNITED ARAB EMIRATESITALY UNITED KINGDOM IT audit and control community. these web sites:IVORY COAST UNITED STATESJAMAICA • Its standards activities establish the www.ITgovernance.org URUGUAYJAPAN VENEZUELA quality baseline by which other IT www.isaca.orgJORDAN VIETNAMKAZAKHSTAN audit and control activities are WALESKENYA YUGOSLAVIAKOREA measured. ZAMBIAKUWAIT ZIMBABWE
ACKNOWLEDGMENTS COBIT STEERING COMMITTEE Erik Guldentops, S.W.I.F.T. sc, Belgium John Lainhart, PricewaterhouseCoopers, USA Eddy Schuermans, PricewaterhouseCoopers, Belgium John Beveridge, State Auditor’s Office, Massachusetts, USA Michael Donahue, PricewaterhouseCoopers, USA Gary Hardy, Arthur Andersen, United Kingdom Ronald Saull, Great-West Life Assurance, London Life and Investors Group, Canada Mark Stanley, Sun America Inc., USA SPECIAL THANKS to the ISACA Boston and National Capital Area Chapters for their contributions to the COBIT Control Objectives. SPECIAL THANKS to the members of the Board of the Information Systems Audit and Control Association and Trustees of the Information Systems Audit and Control Foundation, headed by International President Paul Williams, for their continuing and unwavering support of COBIT.4 IT GOVERNANCE INSTITUTE
CONTROL OBJECTIVES EXECUTIVE OVERVIEWCritically important to themanagementthis globalofinforma- organisation is effective survival and success anrelated Information Technology (IT). In of information and acquiring and implementing, delivering and supporting, and monitoring IT performance to ensure that the enterprise’s information and related technology support its businesstion society—where information travels through cyberspace objectives. IT governance thus enables the enterprise to takewithout the constraints of time, distance and speed—this full advantage of its information, thereby maximising bene-criticality arises from the: fits, capitalising on opportunities and gaining competitive • Increasing dependence on information and the systems advantage. that deliver this information • Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare IT GOVERNANCE • Scale and cost of the current and future investments in A structure of relationships and processes to direct information and information systems and control the enterprise in order to achieve the • Potential for technologies to dramatically change organi- enterprise’s goals by adding value while balancing risk sations and business practices, create new opportunities versus return over IT and its processes. and reduce costsFor many organisations, information and the technology thatsupports it represent the organisation’s most valuable assets.Moreover, in today’s very competitive and rapidly changing Organisations must for theirthethe use offiduciaryall assets. rity requirements satisfy Management must also optimise quality, information, as for and secu- availablebusiness environment, management has heightened expecta- resources, including data, application systems, technology,tions regarding IT delivery functions: management requires facilities and people. To discharge these responsibilities, asincreased quality, functionality and ease of use; decreased well as to achieve its objectives, management must under-delivery time; and continuously improving service levels— stand the status of its own IT systems and decide what secu-while demanding that this be accomplished at lower costs. rity and control they should provide.Many organisations recognise the potential benefits that Control Objectives for Information and related Technologytechnology can yield. Successful organisations, however, (COBIT), now in its 3rd edition, helps meet the multiple needsunderstand and manage the risks associated with imple- of management by bridging the gaps between business risks,menting new technologies. control needs and technical issues. It provides good practices across a domain and process framework and presents activi-There are numerous changes in IT and its operating environ- ties in a manageable and logical structure. COBIT’s “goodment that emphasise the need to better manage IT-related practices” means consensus of the experts—they will helprisks. Dependence on electronic information and IT systems optimise information investments and will provide a measureis essential to support critical business processes. In addition, to be judged against when things do go wrong.the regulatory environment is mandating stricter control overinformation. This, in turn, is driven by increasing disclosures Management must ensure that an internal control system orof information system disasters and increasing electronic framework is in place which supports the business processes,fraud. The management of IT-related risks is now being makes it clear how each individual control activity satisfiesunderstood as a key part of enterprise governance. the information requirements and impacts the IT resources. Impact on IT resources is highlighted in the COBITWithin enterprise governance, IT governance is becoming Framework together with the business requirements formore and more prominent, and is defined as a structure of effectiveness, efficiency, confidentiality, integrity, availabili-relationships and processes to direct and control the enter- ty, compliance and reliability of information that need to beprise in order to achieve the enterprise’s goals by adding satisfied. Control, which includes policies, organisationalvalue while balancing risk versus return over IT and its structures, practices and procedures, is management’sprocesses. IT governance is integral to the success of enter- responsibility. Management, through its enterprise gover-prise governance by assuring efficient and effective measur- nance, must ensure that due diligence is exercised by all indi-able improvements in related enterprise processes. IT gover- viduals involved in the management, use, design, develop-nance provides the structure that links IT processes, IT ment, maintenance or operation of information systems. Anresources and information to enterprise strategies and objec- IT control objective is a statement of the desired result ortives. Furthermore, IT governance integrates and institution- purpose to be achieved by implementing control proceduresalises good (or best) practices of planning and organising, within a particular IT activity. IT GOVERNANCE INSTITUTE 5
Balso, andorientation is the mainonly by users andguidancebut usiness designed to be employed not theme of C T. It is more importantly, as comprehensive OBI auditors, Specifically, COBIT provides Maturity Models for control over IT processes, so that management can map where the organisation is today, where it stands in relation to the best-for management and business process owners. Increasingly, in-class in its industry and to international standards andbusiness practice involves the full empowerment of business where the organisation wants to be; Critical Successprocess owners so they have total responsibility for all Factors, which define the most important management-ori-aspects of the business process. In particular, this includes ented implementation guidelines to achieve control over andproviding adequate controls. within its IT processes; Key Goal Indicators, which define measures that tell management—after the fact—whether anThe COBIT Framework provides a tool for the business IT process has achieved its business requirements; and Keyprocess owner that facilitates the discharge of this responsi- Performance Indicators, which are lead indicators thatbility. The Framework starts from a simple and pragmatic define measures of how well the IT process is performing inpremise: enabling the goal to be reached.In order to provide the information that the organisationneeds to achieve its objectives, IT resources need to be COBIT’s Management Guidelines are generic andmanaged by a set of naturally grouped processes. action oriented for the purpose of answering the fol- lowing types of management questions: How farThe Framework continues with a set of 34 high-level Control should we go, and is the cost justified by the benefit?Objectives, one for each of the IT processes, grouped into What are the indicators of good performance? Whatfour domains: planning and organisation, acquisition and are the critical success factors? What are the risks ofimplementation, delivery and support, and monitoring. This not achieving our objectives? What do others do? Howstructure covers all aspects of information and the technolo- do we measure and compare?gy that supports it. By addressing these 34 high-level controlobjectives, the business process owner can ensure that an COBIT also contains an Implementation Tool Set that providesadequate control system is provided for the IT environment. lessons learned from those organisations that quickly and successfully applied COBIT in their work environments. It provided in the C TIT governanceITguidance is alsoand information to enterprise Framework. governance provides the structure thatlinks IT processes, IT resources OBI has two particularly useful tools—Management Awareness Diagnostic and IT Control Diagnostic—to assist in analysing an organisation’s IT control environment.strategies and objectives. IT governance integrates optimalways of planning and organising, acquiring and implement- Over the next few years, the management of organisationsing, delivering and supporting, and monitoring IT perfor- will need to demonstrably attain increased levels of securitymance. IT governance enables the enterprise to take full and control. COBIT is a tool that allows managers to bridgeadvantage of its information, thereby maximising benefits, the gap with respect to control requirements, technical issuescapitalising on opportunities and gaining competitive advan- and business risks and communicate that level of control totage. stakeholders. COBIT enables the development of clear policy and good practice for IT control throughout organisations,In addition, corresponding to each of the 34 high-level con- worldwide. Thus, COBIT is designed to be the break-trol objectives is an Audit Guideline to enable the review of through IT governance tool that helps in understandingIT processes against COBIT’s 318 recommended detailed and managing the risks and benefits associated withcontrol objectives to provide management assurance and/or information and related IT.advice for improvement.ThetoManagementeffectively andCenablesmostand require- Guidelines, opment, further enhancesment deal more T’s OBI recent devel- enterprise manage- with the needsments of IT governance. The guidelines are action orientedand generic and provide management direction for gettingthe enterprise’s information and related processes under con-trol, for monitoring achievement of organisational goals, formonitoring performance within each IT process and forbenchmarking organisational achievement.6 IT GOVERNANCE INSTITUTE
CONTROL OBJECTIVES COBIT IT PROCESSES DEFINED WITHIN THE FOUR DOMAINS BUSINESS OBJECTIVES IT GOVERNANCE M1 monitor the processes PO1 define a strategic IT plan M2 assess internal control adequacy PO2 define the information architecture M3 obtain independent assurance PO3 determine the technological direction M4 provide for independent audit PO4 define the IT organisation and relationships PO5 manage the IT investment PO6 communicate management aims and direction PO7 manage human resources PO8 ensure compliance with external requirements PO9 assess risks PO10 manage projects PO11 manage quality INFORMATION effectiveness efficiency confidentiality integrity availability compliance reliability MONITORING PLANNING & ORGANISATION IT RESOURCES people application systems technology facilities data DELIVERY & SUPPORT ACQUISITION & IMPLEMENTATION DS1 define and manage service levels DS2 manage third-party services DS3 manage performance and capacity DS4 ensure continuous service DS5 ensure systems security DS6 identify and allocate costs DS7 educate and train users DS8 assist and advise customers AI1 identify automated solutions DS9 manage the configuration AI2 acquire and maintain application software DS10 manage problems and incidents AI3 acquire and maintain technology infrastructure DS11 manage data AI4 develop and maintain procedures DS12 manage facilities AI5 install and accredit systems DS13 manage operations AI6 manage changes IT GOVERNANCE INSTITUTE 7
THE COBIT FRAMEWORK THE NEED FOR CONTROL IN THE BUSINESS ENVIRONMENT: INFORMATION TECHNOLOGY COMPETITION, CHANGE AND COST In recent years, it has become increasingly evident that Global competition is here. Organisations are restructur- there is a need for a reference framework for security and ing to streamline operations and simultaneously take control in IT. Successful organisations require an appreci- advantage of the advances in IT to improve their compet- ation for and a basic understanding of the risks and itive position. Business re-engineering, right-sizing, out- constraints of IT at all levels within the enterprise in sourcing, empowerment, flattened organisations and dis- order to achieve effective direction and adequate controls. tributed processing are all changes that impact the way that business and governmental organisations operate. MANAGEMENT has to decide what to reasonably These changes are having, and will continue to have, invest for security and control in IT and how to balance profound implications for the management and opera- risk and control investment in an often unpredictable IT tional control structures within organisations worldwide. environment. While information systems security and control help manage risks, they do not eliminate them. Emphasis on attaining competitive advantage and cost- In addition, the exact level of risk can never be known efficiency implies an ever-increasing reliance on tech- since there is always some degree of uncertainty. nology as a major component in the strategy of most Ultimately, management must decide on the level of risk organisations. Automating organisational functions is, by it is willing to accept. Judging what level can be tolerat- its very nature, dictating the incorporation of more pow- ed, particularly when weighted against the cost, can be a erful control mechanisms into computers and networks, difficult management decision. Therefore, management both hardware-based and software-based. Furthermore, clearly needs a framework of generally accepted IT the fundamental structural characteristics of these con- security and control practices to benchmark the existing trols are evolving at the same rate and in the same “leap and planned IT environment. frog” manner as the underlying computing and network- ing technologies are evolving. There is an increasing need for USERS of IT services to be assured, through accreditation and audit of IT ser- Within the framework of accelerated change, if man- vices provided by internal or third parties, that adequate agers, information systems specialists and auditors are security and control exists. At present, however, the indeed going to be able to effectively fulfil their roles, implementation of good IT controls in information sys- their skills must evolve as rapidly as the technology and tems, be they commercial, non-profit or governmental, the environment. One must understand the technology is hampered by confusion. The confusion arises from the of controls involved and its changing nature if one is to different evaluation methods such as ITSEC, TCSEC, exercise reasonable and prudent judgments in evaluating IS0 9000 evaluations, emerging COSO internal control control practices found in typical business or govern- evaluations, etc. As a result, users need a general foun- mental organisations. dation to be established as a first step. EMERGENCE OF ENTERPRISE Frequently, AUDITORS have taken the lead in such AND IT GOVERNANCE international standardisation efforts because they are To achieve success in this information economy, enter- continuously confronted with the need to substantiate prise governance and IT governance can no longer be their opinion on internal control to management. considered separate and distinct disciplines. Effective Without a framework, this is an exceedingly difficult enterprise governance focuses individual and group task. Furthermore, auditors are increasingly being called expertise and experience where it can be most produc- on by management to proactively consult and advise on tive, monitors and measures performance and provides IT security and control-related matters. assurance to critical issues. IT, long considered solely an8 IT GOVERNANCE INSTITUTE
CONTROL OBJECTIVESenabler of an enterprise’s strategy, must now be regard- aligned with and enable the enterprise to take full advan-ed as an integral part of that strategy. tage of its information, thereby maximising benefits, capitalising on opportunities and gaining a competitiveIT governance provides the structure that links IT advantage.processes, IT resources, and information to enterprisestrategies and objectives. IT governance integrates and Enterpriseinstitutionalises optimal ways of planning and organis- Activitiesing, acquiring and implementing, delivering and sup-porting, and monitoring IT performance. IT governance require information fromis integral to the success of enterprise governance byassuring efficient and effective measurable improve-ments in related enterprise processes. IT governance Information Technologyenables the enterprise to take full advantage of its infor- Activitiesmation, thereby maximising benefits, capitalising onopportunities and gaining competitive advantage. Enterprises are governed by generally accepted good (orLooking at the interplay of enterprise and IT governance best) practices, to ensure that the enterprise is achievingprocesses in more detail, enterprise governance, the sys- its goals-the assurance of which is guaranteed by certaintem by which entities are directed and controlled, drives controls. From these objectives flows the organisation’sand sets IT governance. At the same time, IT should direction, which dictates certain enterprise activities,provide critical input to, and constitute an important using the enterprise’s resources. The results of the enter-component of, strategic plans. IT may in fact influence prise activities are measured and reported on, providingstrategic opportunities outlined by the enterprise. input to the constant revision and maintenance of the controls, beginning the cycle again. Enterprise Governance Enterprise Governance drives and sets DIRECT Information Technology Enterprise Governance Objectives CONTROL Resources ActivitiesEnterprise activities require information from IT activi- USINGties in order to meet business objectives. Successful REPORTorganisations ensure interdependence between theirstrategic planning and their IT activities. IT must be IT GOVERNANCE INSTITUTE 9
THE COBIT FRAMEWORK, continued IT also is governed by good (or best) practices, to porting, and monitoring, for the dual purposes of man- ensure that the enterprise’s information and related tech- aging risks (to gain security, reliability and compliance) nology support its business objectives, its resources are and realising benefits (increasing effectiveness and effi- used responsibly and its risks are managed appropriate- ciency). Reports are issued on the outcomes of IT activi- ly. These practices form a basis for direction of IT activ- ties, which are measured against the various practices ities, which can be characterised as planning and organ- and controls, and the cycle begins again. ising, acquiring and implementing, delivering and sup- IT Governance DIRECT Objectives IT Activities • IT is aligned with PLAN Planning and Organisation the business, DO Acquisition and Implementation enables the CHECK Delivery and Support business and CORRECT Monitoring maximises CONTROL benefits Manage risks Realise Benefits • IT resources are • security Increase Decrease used responsibly • reliability Automation - Costs - be • compliance be effective efficient • IT related risks are managed appropriately REPORT In order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. To accomplish this, management needs to identify the most important activities to be performed, measure progress towards achieving goals and determine how well the IT processes are performing. In addition, it needs the ability to evaluate the organisa- tion’s maturity level against industry best practices and international standards. To support these manage- ment needs, the COBIT Management Guidelines have identified specific Critical Success Factors, Key Goal Indicators, Key Performance Indicators and an associated Maturity Model for IT governance, as presented in Appendix I.10 IT GOVERNANCE INSTITUTE
CONTROL OBJECTIVESRESPONSE TO THE NEED related international standards evolved the originalIn view of these ongoing changes, the development of Information Systems Audit and Control Foundation’sthis framework for control objectives for IT, along with Control Objectives from an auditor’s tool to COBIT, acontinued applied research in IT controls based on this management tool. Further, the development of ITframework, are cornerstones for effective progress in the Management Guidelines has taken COBIT to the nextfield of information and related technology controls. level-providing management with Key Goal Indicators (KGIs), Key Performance Indicators (KPIs), CriticalOn the one hand, we have witnessed the development Success Factors (CSFs) and Maturity Models so that itand publication of overall business control models like can assess its IT environment and make choices for con-COSO (Committee of Sponsoring Organisations of the trol implementation and control improvements over theTreadway Commission-Internal Control—Integrated organisation’s information and related technology.Framework, 1992) in the US, Cadbury in the UK, CoCoin Canada and King in South Africa. On the other hand, Hence, the main objective of the COBIT project is thean important number of more focused control models development of clear policies and good practices forare in existence at the level of IT. Good examples of the security and control in IT for worldwide endorsement bylatter category are the Security Code of Conduct from commercial, governmental and professional organisa-DTI (Department of Trade and Industry, UK), tions. It is the goal of the project to develop these con-Information Technology Control Guidelines from CICA trol objectives primarily from the business objectives(Canadian Institute of Chartered Accountants, Canada), and needs perspective. (This is compliant with theand the Security Handbook from NIST (National COSO perspective, which is first and foremost a man-Institute of Standards and Technology, US). However, agement framework for internal controls.) Subsequently,these focused control models do not provide a compre- control objectives have been developed from the audithensive and usable control model over IT in support of objectives (certification of financial information, certifi-business processes. The purpose of COBIT is to bridge cation of internal control measures, efficiency and effec-this gap by providing a foundation that is closely linked tiveness, etc.) perspective.to business objectives while focusing on IT. AUDIENCE: MANAGEMENT,(Most closely related to COBIT is the recently published USERS AND AUDITORSAICPA/CICA SysTrustTM Principles and Criteria for COBIT is designed to be used by three distinct audiences.Systems Reliability. SysTrust is an authoritativeissuance of both the Assurance Services Executive MANAGEMENT:Committee in the United States and the Assurance to help them balance risk and control investment in anServices Development Board in Canada, based in part often unpredictable IT environment.on the COBIT Control Objectives. SysTrust is designedto increase the comfort of management, customers and USERS:business partners with the systems that support a busi- to obtain assurance on the security and controls of ITness or a particular activity. The SysTrust service entails services provided by internal or third parties.the public accountant providing an assurance service inwhich he or she evaluates and tests whether a system is AUDITORS:reliable when measured against four essential principles: to substantiate their opinions and/or provide advice toavailability, security, integrity and maintainability.) management on internal controls.A focus on the business requirements for controls in ITand the application of emerging control models and IT GOVERNANCE INSTITUTE 11
THE COBIT FRAMEWORK, continued BUSINESS OBJECTIVES ORIENTATION Control is the policies, procedures, practices COBIT is aimed at addressing business objectives. The and organisational structures defined as designed to provide reasonable control objectives make a clear and distinct link to busi- ness objectives in order to support significant use out- assurance that business objectives side the audit community. Control objectives are defined will be achieved and that undesired in a process-oriented manner following the principle of events will be prevented or detect- business re-engineering. At identified domains and ed and corrected. processes, a high-level control objective is identified and rationale provided to document the link to the business objectives. In addition, considerations and guidelines a statement of the desired result or IT Control Objective are provided to define and implement the IT control purpose to be achieved by imple- is defined as menting control procedures in a objective. particular IT activity. The classification of domains where high-level control objectives apply (domains and processes), an indication of the business requirements for information in that a structure of relationships and domain, as well as the IT resources primarily impacted IT Governance processes to direct and control the by the control objectives, together form the COBIT is defined as enterprise in order to achieve the Framework. The Framework is based on the research enterprise’s goals by adding value activities that have identified 34 high-level control while balancing risk versus return objectives and 318 detailed control objectives. The over IT and its processes. Framework was exposed to the IT industry and the audit profession to allow an opportunity for review, challenge and comment. The insights gained have been appropri- ately incorporated. GENERAL DEFINITIONS For the purpose of this project, the following definitions are provided. “Control” is adapted from the COSO Report (Internal Control—Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, 1992) and “IT Control Objective” is adapted from the SAC Report (Systems Auditability and Control Report, The Institute of Internal Auditors Research Foundation, 1991 and 1994).12 IT GOVERNANCE INSTITUTE