COBIT is an acronym for the IT governance and control framework called Control Objectives for Information and related Technology. COBIT provides an operational framework for compliance whereas laws mandating information security usually say little to nothing about how to achieve that requirement for compliance. As such, COBIT is an "intermediary standard" because its accepted best practices are checked by an organization's auditors for IT security compliance with laws such as Sarbanes-Oxley and Gramm-Leach-Bliley. This page provides background information about COBIT and describes how solutions from Qualys help organizations use this framework for compliance.
The first version of COBIT was published in 1996. Its sponsors were the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). According to ISACA, "COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework." COBIT has undergone several iterations; the current version is 4.1.
Why COBIT Matters to Your Organization
COBIT is important because it provides organizations with an actionable framework that auditors rely on for verification of compliance with security mandates in public laws. Typically, legislators focus on setting policy and leave implementation details to standards set by accredited organizations. For example, a huge driver for IT security in public corporations is the Sarbanes-Oxley Act of 2002. The Act requires improving and safeguarding the reliability and transparency of accounting statements and regulatory filings, but its key section (Section 404) contains less than 75 words about internal controls and procedures — and does not even mention information technology or IT security. However, COBIT fills in the blanks by specifying a comprehensive framework of best practices with actionable measures, indicators and processes for compliance.
Considerations for Using COBIT
Implementation of COBIT entails understanding and using its key concepts, principles and controls. These begin with COBIT's four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. These four domains include 34 high-level IT control objectives. Achieving these requires appropriate implementation of 210 detailed control objectives for business processes and information systems. See the COBIT framework for details.
|Plan and Organize
PO1 Define a Strategic IT Plan (PO1.5)
PO2 Define the Information Architecture (PO2.1-4)
PO3 Determine the Technological Direction (PO3.2)
PO4 Define the IT Processes, Organization and Relationships (PO4.6, PO4.11)
PO6 Communicate Management Aims and Direction (PO6.3)
PO9 Assess and Manage IT Risks (PO9.1-5)
Acquire and Implement
AI1 Identify Automated Solutions (AI1.2)
AI2 Acquire and Maintain Application Software (AI2.3-6)
AI6 Manage Changes (AI6.1, AI6.4)
|Deliver and Support
DS1 Define and Manage Service Levels (DS1.6)
DS3 Manage Performance and Capacity (DS3.1-2, DS3.4-5)
DS4 Ensure Continuous Service (DS4.3)
DS5 Ensure Systems Security (DS5.1-5, DS5.7-11)
DS9 Manage the Configuration (DS9.1-3)
DS11 Manage Data (DS11.1-2, DS11.4-6)
DS13 Manage Operations (DS13.4)
Monitor and Evaluate
ME1 Monitor and Evaluate IT Performance (ME1.2-4)
ME2 Monitor and Evaluate Internal Control (ME2.1, ME2.3-5)