Introduction :-
CONTROL OBJECTIVE FOR INFORMATION AND RELATED TECHNOLOGY (COBIT)
Cobit is a comprehensive IT framework from ISACA which was launched in 1996. It provides guidelines for auditing of information system for auditors. COBIT has revised timely from 1996 and latest version is known as COBIT 5 which was released in 2012.
Risk Management In COBIT 5
COBIT provides best practices for IT system development and use.In 2012, latest version of COBIT 5 includes a separate domain on governance of IT to ensure enterprise governance and risk management.
In the short and sweet manner, I’d say COBIT 5 divides its practices into mainly 2 areas Governance and management.
The governance domain is Evaluate,Direct and Monitor (EDM) and it has following practices:-
1. EDM 01 Ensure governance framework setting and maintenance.
2. EDM02 Ensure Benefit delivery
3. EDM 03 Ensure risk optimization
4. EDM 04 Ensure Resource optimization
5. EDM05 Ensure Stakeholder’s transparency.
And the management Domain contains 4 domains :-
1. Align, Plan and Organise (APO) 12
2. Build, Acquire and Implement (BAI)
3. Deliver, Service and Support (DSS)
4. Monitor, Evaluate and Assess (MEA)
A combination of EDM03 (Risk optimization Prospective) and APO 12 (Manage risk) cover the entire life cycle of risk management from both “governance” and “management” prospective.
Key Management Practices of IT compliance
COBIT 5 provides a key management practice provides external rules and laws to ensure the compliance. These are:-
1. Identify external compliance requirements :-
It means organization should constantly look out the changes came in local laws , regulations and need to be compiled from IT perspective.
2. Optimize Response to External Requirements :-
In this step, the organization wouldn’t only review and adjust its policies according to the changes identified in step1 , but would also search and look out the comparatives. And evaluate its policies with Industry’s standards.
3. Confirm External compliance :-
Once the principles and policies are set, it’s time to confirm their compliance. Are they in alignment with all the IT practices defined and the comes in the purview of Legal framework.
4. Obtain Assurance of External compliance :-
There is difference in work getting done and ensuring about its quality. And such assurance comes with certification and audit for compliance and adherence to regulation, policies and standards.
Principles of COBIT
There are 5 principles of COBIT which are based on 7 enablers of COBIT Framework.
1. Meeting shareholder’s needs :-
Every enterprise runs for creating values for its stakeholders. COBIT describes the objective of the organization should be customised in such manner that they don’t only create values but also fulfils IT related goals.
2. Covering the enterprise end to end :-
COBIT just not only focus on IT governance but also on organization governance. It describes that IT assets should also be treated in the same manner like an organization asset and protected thereto.
3. Applying a single Integrated Framework :-
COBIT 5 is the single integrated framework which align other standards and framework like COSO and ISO 27001 which ultimately creates a strong governance and management framework.
4. Enabling a holistic approach :-
COBIT 5 describes 7 enablers upon which its principles are based and they are named as following
· Principles, policies and Framework
· Processes
· Organizational structures
· Culture ,ethics and behaviour
· Information
· Services, Infrastructure and applications
· People, skills and competencies
Holistic approach focuses on balancing the above enablers to achieve the organization objectives.
5. Separating Governance from Management :-
In most organization governance word is used for the BOD and works under the leadership of chairman and management represents to executive management which works under the leadership of CEO. COBIT differentiates both of them in a beautiful manner by providing separate domains for governance {EDM (5)} and management (4) .
In short, COBIT includes such best practices in such an aligned manner which helps in attaining governance , risk management and compliance. (GRC)
Regards
Renu