Control Objectives for Information Technology (COBIT)
By: Edris Ahmady
Introduction:
Frameworks come in many shapes and sizes, some may serve a specific purpose while others are general guidelines meant to be followed to optimize tasks and processes within an organization. Frameworks such as The NIST Cybersecurity framework were born to mitigate risk as much as possible within an organization dealing with a lot of technology assets. On the other hand, frameworks such as COBIT are overarching and are intended to be implemented in a wide range of industries and organizations, many times working in tandem with frameworks like the NIST Cybersecurity Framework.
What is COBIT:
The Control Objectives for Information Technologies (COBIT) is a valuable framework that aims to provide governance and management to an organization’s information and technology assets. It consists of five core principles, seven holistic enablers, and seven steps for successfully implementing IT assets within an organization. When all of these components come together, an organization will have a successful, efficient, and agile way of managing, implementing, and keeping up to date with all of its information and technology assets.
Five Core Principles of COBIT:
- Meeting Stakeholders needs
- One of the main things to keep in mind when implementing COBIT is to always pay attention to your stakeholders needs. Although it might be pretty self-explanatory, an enterprise’s main purpose is to create value for stakeholders. This may be done by either, benefit realization, risk optimization or resource optimization. Additionally, when clear goals/needs are set by stakeholders it creates a cascading effect throughout the entire organization which can create synergy.
- Covering the Enterprise End to End
- This means that COBIT is intended to be implemented in all aspects existing within an organization. The governance and management of information and technology is addressed from the top level of management all the way to the lowest level.
- Applying a Single Integrated Framework
- COBIT is an overarching framework intended to work alongside detailed and specific frameworks. It is important when using COBIT to also use industry specific/standard best practices.
- Enabling a Holistic Approach
- COBIT’s purpose is to encapsulate an entire organization, this can be done by seven holistic enablers that optimize information and technology achieving common goals.
- The seven holistic enablers are as follows:
- Process: Are an organizations practices and activities that work together to achieve a certain objective or produce a certain outcome all of which are in support of IT related goals.
- Organizational Structure: Are vital aspects of an organization responsible for major decision making.
- Culture, Ethics, and Behavior: Are underestimated factors in the governance and management activities within an organization.
- Principle, Policies, and Frameworks: Are the catalyst in translating necessary behaviors and activities into guidance for day to day management.
- Information: Information is vital to all aspects of an organization, information just by itself is crucial in keeping an organization on its feet.
- Service, Infrastructure, and Application: are the infrastructure, technology and application that provides an organization with information technology.
- People, Skills, and Competences: At the end the people, their skills, and competences are whats most important to facilitate decision making and corrective actions.
- Separating Governance from Management
- It is important to separate Governance from Management to ensure best practices are being followed. It helps ensure that the organization is always following common goals set between them.
The Seven phases for Implementation
- What are the drivers?: In the first phase an organization comes together to recognize and agree to the need of implementing Information and technology governance and management.
- What are we now?: In this phase an organization focuses on defining the scope of implementation using COBIT mapping of enterprise goals. This means that an organization looks at where Information and technology can be implemented to increase value and reach stakeholder needs.
- What do we want to be?: This phase targets are set, followed by more detailed analysis in order to identify gaps and potential solutions.
- What needs to be done?: In this phase, practical solutions are defined and projects are set where information and technology is used to further business processes
- How do we get there?: In this phase, the solutions are implemented in day to day practices. Then measures can be defined to see if implementing COBIT have helped them achieve an organizations goals.
- Did we get there?: In this phase, an organization focuses on measures to see if new or improved enables need to be added to achieve further goals.
- How do we keep this momentum going? In this phase, the overall implementation, management, and governance of processes, information and technology is assessed to see if anymore improvements are needed or to see if overarching goals have been achieved.
Conclusion:
I hope by reading this quick blurb about COBIT you were able to understand what the overarching goal of COBIT is and its necessity for implementation. This was just a quick explanation of what COBIT is and what it is meant to do. To learn more about this framework and to see its implementations in specific cases I highly encourage you to visit www.isaca.org/resource/cobit.