210 likes | 533 Views
Control Objectives for information and related technology . By Joseph Di Peri Amber Moore. outline. History of CobiT CobiT’s broad business control strategy Domains of CobiT Alignment with Sarbanes-Oxley Act of 2002 Why CobiT ? Who can benefit from CobiT
E N D
Control Objectives for information and related technology By Joseph Di Peri Amber Moore
outline • History of CobiT • CobiT’s broad business control strategy • Domains of CobiT • Alignment with Sarbanes-Oxley Act of 2002 • Why CobiT? • Who can benefit from CobiT • Case Study: US House of Representatives • Class scenarios • Why not to use CobiT • Conclusion and readings
History • CobiT was created in 1992 by ISACA and the IT Governance Institute. • These two IT forerunners saw a need for universal measures and benchmarks, which maximize benefits and accountability in the area of IT governance. • CobiT versions released • 1st 1996 • 2nd 1998 • 3rd 2000 • 4th 2005 • 4.1 2007
Cobit Pentagon • Broader view of key control areas within CobiT
Domains • Plan & Organize: 10 rules that aim to form the best goals for a company to achieve for it’s IT department • Acquire & Implement: 7 rules consisting of identifying what requirements they need, acquiring the technology, and implementing it within the context of the business at hand • Deliver & Support: 13 rules handling the execution of the IT process and the continued technical support like security and training • Monitor & Evaluate: 4 rules that deal directly with the auditing of the effectiveness of the IT system and the compliance of the regulatory requirements of each firm.
Aligning with cobit • Sarbanes Oxley Act of 2002 • “The Act covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.” • Interview- Evaluating Sarbanes-Oxley Act
Why cobit? • There are no set guidelines about how to comply with the 11 given sections of the Sarbanes-Oxley Act • CobiT is an adaptable system that can be manipulated to fit most business processes • Creates benchmarks for internal auditing • Creates a standardized global form of business reporting • Clear roles and responsibilities; more efficient communication • Understand risks and exploit the benefits
Q: Who else can benefit from CobiT? A: Stakeholders within the enterprise who have an interest in generating value from IT investments; internal and external stakeholders who provide IT services or have a control/risk responsibility • People who…. • make investment decisions • decide about requirements • use IT services • manage the IT organization and processes • develop capabilities • have security, privacy and/or risk responsibilities • perform compliance functions • require or provide assurance services
Case study • US House of Representatives set out to professionalize its operations • The Office of Inspector General was created to conduct the first audit ever!!
Cobit rules pertaining to case study Lack of policies and procedures • Rule PO4- Define the IT Processes, Organization and Relationships Poor systems design and development • Rule PO3- Determine Technological Direction Lack of planning and performance measures • Rule DS3- Manage Performance and Capacity Poor management of the mainframe • Rule AI3- Acquire and Maintain Technology Infrastructure Lack of security • Rule DS5- Ensure System Security Poor clarity of roles and responsibility • Rule PO6-Communincate Management Aims and Direction • Rule PO7- Manage IT Human Resources
COBIT FRAMEWORK Monitor and Evaluate Acquire and Implement Plan and Organize Deliver and Support PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 AI1 AI2 AI3 AI4 AI5 AI6 AI7 DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 ME1 ME2 ME3 ME4
Who would benefit most from cobit? • Scenario #1. Private attorney firm consisting of 10 employees, currently using one computer for data storage. • Scenario #2. Local branch of finance firm, running on a nationwide computing system. Such as Metlife Financial, Morgan Stanly, Wells Fargo, etc. • Scenario #3. Oregon State University who is operating separate IT systems within each department.
Why not to use cobit • Expensive to implement company wide • Hiring of consultants to train employees in new methods and procedures • Time consuming to restructure business practices and policies to align with CobiT • Employee compliance with new framework • Still fairly new framework; industry lacks knowledge
BUSINESS REQUIRMENTS drive the investments in which responds to COBIT ENTERPRISE INFORMATION IT RESOURCES IT PROCCESS that are used by to deliver
Readings • The readings used in this presentation were from the creators and other implementers of CobiT. • There is an industry wide bias due to lack of alternatives • Video #1What are the Benefits of Implementing CobiT? - former CIO of ISACA • Reading #4 Case Study: Sun Microsystems - published by ISACA • Not widely adopted in the Corporate world, due to poor information surrounding the product as well as it’s recent release (12 years old) • “ Less than half of the CIOs in the financial services industry, where Cobit is most popular, are even aware of the guidelines ”