APPENDIX B: CONTROL OBJECTIVES FOR INFORMATION TECHNOLOGY (COBIT)

The COBIT framework is a comprehensive description of the risks and controls in IT environments. The framework establishes what COBIT terms four domains of “High Level Control Objectives”:

1. Planning and organization
2. Acquisition and implementation
3. Delivery and support
4. Monitoring

Exhibit 3-7 Examples of COBIT Domains and Processes

In each of these four domains, COBIT provides a description of the processes, the underlying information criteria that apply to those processes, and the related IT resources. COBIT includes 34 processes across the four domains. Rather than discuss all of these processes, four are provided in Exhibit 3-7 as examples.

For each domain, controls over processes can be categorized as to the information criteria that apply to the process and the IT resources managed by the process. COBIT defines information criteria as effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. These factors are represented across the top in the first part of the matrix in Exhibit 3-7. As an example, one process that occurs in an IT environment is acquiring and maintaining software. The matrix of information criteria indicates that in this process, effectiveness and efficiency are the primary criteria. This means that as an organization acquires and maintains software, it must establish and follow IT controls that assure the effectiveness and efficiency of that software. An example of a specific control to achieve this objective is to test the software prior to purchasing it. Testing can help ensure that it is effective and efficient. Also, notice the secondary criteria of integrity and reliability. Controls should also be employed to ensure that software is reliable and has integrity (accuracy and completeness). Again, a control such as testing the software assists in assuring the reliability and integrity of the software acquired.

The second part of the matrix shown in Exhibit 3-7 identifies the IT resources. IT resources provide the information needed by business processes. COBIT defines IT resources as applications, information, infrastructure, and people. In the previous example, the applications are the only factors that are directly managed in the process of acquiring and maintaining software.