COBIT

WHY COBIT?
✓ IT is now critical to every business activity
✓ Success in business is mostly driven by planned and perfected business
processes.
✓ The same level of care is usually•• not given
Poor IT-business to IT in an organisation
relations
Poor project delivery

✓ If IT fails, business fails

✓ COBIT tries to drive a change •where enterprises apply the same
Data not compartmentalized
• Applications need standardization
mentality to their IT as their other business processes.
• Lack of internal controls in applications
• Network not reliable at all locations
WHAT IS COBIT?
✓ Control Objectives for Information and Related Technology

✓ Governance and management framework for enterprise IT.

• Poor IT-business relations

✓ Developed by ISACA (Information Systems Audit and Control

• Poor project delivery

Association) • Data not compartmentalized

• Applications need standardization
• Lack of internal controls in applications

✓ Framework is generic and useful for enterprises of all sizes whether

• Network not reliable at all locations

commercial, not for profit or in the public sector

BENEFITS OF COBIT
✓ Enables an organisation to extract optimal value from IT

✓ Maintains balance between realising benefits, optimizing risk and

• Poor IT-business relations
resource utilisation • Poor project delivery

✓ Helps to achieve operational and strategic objectives of the organisation

• Data not compartmentalized
• Applications need standardization
• Lack of internal controls in applications

✓ Supports compliance with relevant laws, regulations and policies

• Network not reliable at all locations
• Poor IT-business relations
• Poor project delivery

• Data not compartmentalized

• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations
COBIT 5 PRINCIPLES

• Poor IT-business relations

• Poor project delivery

• Data not compartmentalized

• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations
PRINCIPLE 1: MEETING STAKEHOLDER NEEDS

• Poor IT-business relations

• Poor project delivery

• Data not compartmentalized

• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations

Enterprise exists to create value for the stakeholders

PRINCIPLE 1: MEETING STAKEHOLDER NEEDS
✓ Enterprises have many stakeholders, and creating value for each one of
them is difficult
✓ The governance system should consider this aspect while making
decisions based on benefit, resource and risk assessment
• Poor IT-business relations
• Poor project delivery
✓ Each decision should be pointed out to ask who is the beneficiary, the
risk taker and the resource provider
• Data not compartmentalized
✓ The stakeholder needs are translated • Applications need into specific, practical and
standardization
• Lack of internal controls in applications
customised goals within the context• Network
of the enterprise
not reliable at all locations
PRINCIPLE 2 : COVERING THE ENTERPRISE END TO END
• The governance and management of
information an related technologies
and information are addressed from
an enterprise wide end to end
perspective • Poor IT-business relations
• Poor project delivery

• It covers all functions and processes

with in the enterprise • Data not compartmentalized
• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations
PRINCIPLE 3 : APPLING A SINGLE INTEGRATED FRAMEWORK
It aligns with the relevant and latest standards and frameworks that are
used by companies
 Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
 IT-related: ISO/IEC 38500, ITIL,• ISO/IEC 27000 series
Poor IT-business relations
• Poor project delivery
This enables enterprises to use COBIT as an overarching governance and
management framework
• Data not compartmentalized
• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations
PRINCIPLE 4 : ENABLING A HOLISTIC APPROACH

• Poor IT-business relations

• Poor project delivery

• Data not compartmentalized

• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations

Enablers – factors that individually and collectively influence whether something will work or not
PRINCIPLE 5 : SEPARATING GOVERNANCE FROM MANAGEMENT
✓ COBIT 5 makes a clear distinction between governance and
management.
✓ Due to different set of activities carried out
✓ Requires different org. structure
• Poor IT-business relations

✓ Serving different purposes

• Poor project delivery

✓ Governance – responsibility of Board of Directors under leadership of

• Data not compartmentalized
chairperson • Applications need standardization
• Lack of internal controls in applications

✓ Management – responsibility of exe. • Network not reliable at all locations

Management under leadership of
CEO
PRINCIPLE 5 : SEPARATING GOVERNANCE FROM MANAGEMENT

• Poor IT-business relations

• Poor project delivery

• Data not compartmentalized

• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations
COBIT 5 ENABLERS
Principles, policies and frameworks translate ENABLER ENABLER
ENABLER
desired behaviour into practical guidance for 2. Processes
3. Organizational
Structures
4. Culture, Ethics
and Behaviour
day to day management.

Processes describe an organized set of

practices and activities to achieve certain
• Poor IT-business relations
• Poor project delivery

objectives. ENABLER
1. Principles, policies and Frameworks
Organizational structures are key decision- •
•
Data not compartmentalized
Applications need standardization
making entities in an enterprise •
•
Lack of internal controls in applications
Network not reliable at all locations

The Culture, ethics and behaviour, of

individuals and of the enterprise are a factor ENABLER ENABLER
for success governance and management ENABLER
5. Information
6. Services,
Infrastructure
7. People, Skills
and
activities and Applications Competencies
COBIT 5 ENABLERS
Information is required for keeping the ENABLER ENABLER
ENABLER
organization running and well governed. At 2. Processes
3. Organizational
Structures
4. Culture, Ethics
and Behaviour
the operational level, information is key
product of the enterprise itself.

Services, infrastructure and applications

• Poor IT-business relations
• Poor project delivery

provide the enterprise with information ENABLER

technology processing and services 1. Principles, policies and Frameworks
• Data not compartmentalized
• Applications need standardization
People, skills and competencies are linked •
•
Lack of internal controls in applications
Network not reliable at all locations
to people and are required for successful
completion of all activities and for making
correct decisions taking corrective actions. ENABLER ENABLER
ENABLER 6. Services, 7. People, Skills
5. Information Infrastructure and
and Applications Competencies
STRUCTURE AND OBJECTIVES
COBIT’S hierarchy Note: Integers indicate the number of items at each level

CONTROL OBJECTIVES CONTROL PRACTICES

DOMAINS PROCESSES (1547)
(318)
(4) (34)

Two key terms:

• Poor IT-business relations
Control is the policies, procedures, practices and organizational
• Poor project delivery structures, designed to provide
reasonable assurance that business objectives will be achieved and that undesired events will be
prevented or detected and corrected.
Control objective a statement of the desired result •orDatapurpose to be achieved by implementing
not compartmentalized
• Applications need standardization
control procedures in a particular IT activity. • Lack of internal controls in applications
• Network not reliable at all locations
CONTROL OBJECTIVES
• Quality Control components: Address quality, cost and delivery.
• Fiduciary control components: Address effectiveness, efficiency, reliability of information and
compliance.
• Security control components: Address confidentiality, integrity and availability (CIA)
4 COBIT Domains – For IT Management
Planning and organization: Linkage of business
strategy to IT strategy, strategic vision, etc.

Acquisition and implementation: A change in

• Poor IT-business relations
management is required to realize
• Poor project delivery IT strategy.

• Data not compartmentalized

Delivery and support: Service delivery, support
• Applications need standardization
• Lack
mechanisms, security, education, of internal controls in applications
etc.
• Network not reliable at all locations

Monitoring: Assessment of all infrastructure

components over time.
COBIT & IT Governance
Objective Desired Results
Qualified by

Critical Success
Most important
Factors
tasks required
Measured by

Key Goal Indicators Measures for meeting

objectives
Process monitored by

Key performance Measures for meeting

indicators process objectives
COBIT - Implementation
COBIT - Implementation
What are the drivers? This phase starts with recognizing and agreeing to the need for
an implementation. It identifies the current pain points and triggers and creates a desire
to change at executive management levels.
What are we now? This phase is focused on defining the scope of the implementation
using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT
processes and considering how risk scenarios could also highlight key processes on
which to focus.
What do we want to be? In this phase, an improvement target is set, followed by a
more detailed analysis using COBIT’s guidance to identify gaps and potential solutions.
Some solutions may offer quick wins and others might be more challenging.
What needs to be done? This plans practical solutions by defining projects supported
by justifiable business cases. A change plan for implementation is also developed
COBIT - Implementation
How do we get there? The proposed solutions are implemented into day-to-day
practices in this phase. Measures can be defined and established using COBIT’s goals
and metrics to ensure that business alignment is achieved and maintained, and
performance can be measured.
Did we get there? This phase focuses on the sustainable operation of the new or
improved enablers and the monitoring of the achievement of expected benefits.
How do we keep the momentum going? In this phase, the overall success of the
initiative is reviewed, further requirements for the governance or management of
enterprise are identified and the need for continual improvement is reinforced
Use cases of COBIT – Harley Davidson
In 2003, Harley-Davidson had limited IT controls in place and staff had limited control
knowledge.
To jumpstart IT governance and Sarbanes-Oxley activities, Harley-Davidson created an IS
compliance department and began implementing a vendor’s general computer controls
model.
After attending a COBIT User Convention, a Harley-Davidson risk specialist
recommended COBIT to management and then converted the control framework to
COBIT,
Harley-Davidson is subject to many regulations, including HIPAA and Gramm-Leach-
Bliley, and COBIT serves as an umbrella framework that helps the company zero in on
appropriate control and compliance activities.
Prior to implementing the COBIT framework, areas the external auditor audited were
chosen randomly or on loose justifications. Now the areas selected for auditing are
firmly based on business value and control needs.
Use cases of COBIT - DuPont
DuPont recognized that it must
leverage a robust, dependable
process assessment framework
to drive its continuous
improvement program.
The higher the process
capability, the lower the risk of
the process failing to meet its
intended purpose,
The COBIT 5 process assessment
model (PAM) is evidence-based and
enables a reliable, consistent and
repeatable assessment in the area of
governance and management of
enterprise IT (GEIT) to support
continuous process improvement
This COBIT 5 PAM assessment has
helped DuPont establish appropriate
process baselines and a well-balanced
SMART improvement road map to
continually enhance its information and
technology capability for a competitive
advantage and fuel business growth for
the company.
OCTAVE
✓ OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
✓ Is a risk-based strategic assessment and planning technique for security.
✓ Is a single source comprehensive approach to risk management.
✓ Is a self-directed approach, meaning that people from an organization assume
responsibility for setting the organization’s security strategy.
✓ Allows organizations to balance the protection of critical information assets
against the costs of providing protection and detective controls.
✓ Led by an interdisciplinary team of the organization’s personnel
• Gather and analyse information
• Produce protection strategy and mitigation plans based on the
organization’s unique operational security risks.
OCTAVE
The technique leverages people’s knowledge of their organization’s security
practices and processes to capture the current state of security practice
within the organization. Risks to the most critical assets are used to
prioritize areas of improvement and set the security strategy for the
organization.
It can assist the organization by enabling it to measure itself against known
or accepted good security practices, and then to establish an organization-
wide protection strategy and information security risk mitigation plan.
Unlike the typical technology-focused assessment, which is targeted at
technological risk and focused on tactical issues, OCTAVE is targeted at
organizational risk and focused on strategic, practice-related issues. It is a
flexible evaluation that can be tailored for most organizations.
OCTAVE
When applying OCTAVE, a small team of people from the operational (or
business) units and the information technology (IT) department work
together to address the security needs of the organization, balancing the
three key aspects: operational risk, security practices, and technology.
Key Characteristics of Octave approach
OCTAVE is an asset-driven evaluation approach.
✓ Identify information-related assets (e.g., information and systems) that
are important to the organization
✓ Focus risk analysis activities on those assets judged to be most critical to
the organization
✓ Consider the relationships among critical assets, the threats to those
assets, and vulnerabilities (both organizational and technological) that
can expose assets to threats
Key Characteristics of Octave approach
✓ Evaluate risks in an operational context - how they are used to conduct
an organization’s business and how those assets are at risk due to
security threats
✓ Create a practice-based protection strategy for organizational
improvement as well as risk mitigation plans to reduce the risk to the
organization’s critical assets
OCTAVE Phases
OCTAVE is organized around these three basic aspects enabling
organizational personnel to assemble a comprehensive picture of the
organization’s information security needs.
The phases are:
Phase 1: Build Asset-Based Threat Profiles
This is an organizational evaluation. The analysis team determines what
is important to the organization (information-related assets) and what is
currently being done to protect those assets. The team then selects
those assets that are most important to the organization (critical assets)
and describes security requirements for each critical asset. Finally, it
identifies threats to each critical asset, creating a threat profile for that
asset.
OCTAVE Phases
Phase 2: Identify Infrastructure Vulnerabilities
This is an evaluation of the information infrastructure. The analysis team
examines network access paths, identifying classes of information
technology components related to each critical asset. The team then
determines the extent to which each class of component is resistant to
network attacks.
Phase 3: Develop Security Strategy and Plans
During this part of the evaluation, the analysis team identifies risks to the
organization’s critical assets and decides what to do about them. The team
creates a protection strategy for the organization and mitigation plans to
address the risks to the critical assets, based upon an analysis of the
information gathered.
OCTAVE Phases
OCTAVE Method
The OCTAVE Method was developed with large organizations in mind
✓ Large organizations generally have a multi-layered hierarchy and dis-
joint or geographically distributed
✓ Formal data-gathering activities to determine what in-formation-related
assets are important, how they are used, and how they are threatened
be-come an essential part of conducting OCTAVE in large organizations
✓ Large organization is likely to maintain its own computing infrastructure
and have the internal ability to run vulnerability evaluation tools and
interpret the results in relation to its critical assets
OCTAVE Method Processes
The OCTAVE Method comprises the three phases required by the OCTAVE
criteria:
1. Phase 1: Build Asset-Based Threat Profiles
The two major functions of this phase are gathering information from across the
organization and defining threat profiles for critical assets.
Process 1: Identify Senior Management Knowledge -The analysis team
collects in-formation about important assets, security requirements, threats,
and current organizational strengths and vulnerabilities from a representative
set of senior managers.
Process 2: Identify Operational Area Knowledge - The analysis team collects
information about important assets, security requirements, threats, and
current organizational strengths and vulnerabilities from managers of
selected operational areas.
OCTAVE Method Processes
Process 3: Identify Staff Knowledge - The analysis team collects information
about important assets, security requirements, threats, and current
organizational strengths and vulnerabilities from general staff and IT staff
members of the selected operational areas.
Process 4: Create Threat Profiles - The analysis team selects three to five
critical in-formation-related assets and defines the threat profiles for those
assets.
2. Phase 2: Identify Infrastructure Vulnerabilities – During this phase, the analysis
team evaluates key components of systems supporting the critical assets for
technological vulnerabilities.
Process 5: Identify Key Components - A representative set of key components
from the systems that support or process the critical information-related
assets are identified, and an approach for evaluating them is defined.
OCTAVE Method Processes
Process 6: Evaluate Selected Components - Tools are run to evaluate the
selected components, and the results are analyzed to refine the threat profiles
(for network-access threats) for the critical assets.
3. Phase 3: Develop Security Strategy and Plans – The primary purpose of this
phase is to evaluate risks to critical assets and develop an organizational
protection strategy and risk mitigation plans.
Process 7: Conduct Risk Analysis - An organizational set of impact evaluation
criteria are defined to establish a common basis for determining the impact
value (high, medium, or low) due to threats to critical assets. All active risks
are evaluated for impact.
Process 8: Develop Protection Strategy - The team develops an organization-
wide protection strategy focused on improving the organization’s security
practices as well as mitigation plans to reduce the important risks to critical
assets.
OCTAVE-S
OCTAVE-S was developed and tested for small organizations (20-80 people). It is
designed for organizations that can empower a team of three to five people to conduct
all evaluation activities, without the need for formal data-gathering activities.
It meets the same OCTAVE criteria as the OCTAVE Method but is adapted to the more
limited means and unique constraints of small organizations. The OCTAVE-S is a more
streamlined version of the original process, but will still retain the same quality results
of its predecessor.
OCTAVE-S has the same three phases described in the OCTAVE approach and in the
OCTAVE Method. However, the processes are somewhat different from the OCTAVE
Method.
OCTAVE-S Processes
Phase 1: Build Asset Based Threat Profiles – During this phase, organizational information is
identified and used to define threat profiles for three to five critical information related assets.
I. Process S1: Identify Organizational Information – The analysis team identifies the
organization’s important information related assets, defines a set of impact evaluation
criteria, and defines the current state of the organization’s security practices.
II. Process S2: Create Threat Profiles - The analysis team selects three to five critical
information- related assets and defines the security requirements and threat profiles for
those assets.

Phase 2: Identify Infrastructure Vulnerabilities – During this phase, the analysis team takes a
high-level review of their infrastructure and technology-related practices to refine the threat
profiles.
OCTAVE-S Processes
I. Process S3: Examine the Computing Infrastructure in Relation to Critical Assets - The
analysis team analyzes the access paths in the systems that support the critical assets
and determines how well their technology related processes are protecting those assets.

Phase 3: Develop Security Strategy and Plans – During this phase, the risks to critical assets are
evaluated and an organizational protection strategy and risk mitigation plans are defined.
I. Process S4: Identify and Analyze Risks – The analysis team evaluates all active risks for
impact and, optionally, probability.
II. Process S5: Develop Protection Strategy and Mitigation Plans – The team develops an
organization-wide protection strategy and risk mitigation plans based on security
practices.
Selecting a method to implement
The OCTAVE Method is designed/structured for an analysis team who have some
understanding of IT and security issues, employing an open, brainstorming
approach for gathering and analyzing information.

OCTAVE–S on the other hand is much more structured with Security concepts
embedded in its worksheets, allowing for their use by less experienced
practitioners

Experienced teams may find OCTAVE-S too constraining, while inexperienced

teams may become lost using the OCTAVE Method
Selecting a method to implement
The following set of questions should be used to help one decide which
method is best suited for an organization.
These questions are guidelines only, not a black-and-white decision process
✓ The OCTAVE approach can be very beneficial to certain organizations. If
followed correctly, the organization will, in the long run, save money
and have a strong security practice in effect.
✓ It is a highly accredited risk assessment method that can help attract
customers by its strength.
✓ The OCTAVE method produces a risk assessment for the organization’s
unique assets and risks, which will help save wasteful spending.
✓ The OCTAVE method can help ease customer concern and passes some
of the stringent security guidelines associated with some organizations.