cobit regulations

The ITGovernance Institute® is pleased to offer you this complimentary download of COBIT®.

COBIT provides good practices for the management of IT processes in a manageable and logical structure,meeting the multiple needs of enterprise management by bridging the gaps between business risks, technicalissues, control needs and performance measurement requirements. If you believe as we do, that COBIT enablesthe development of clear policy and good practices for IT control throughout your organisation, we invite you tosupport ongoing COBIT research and development.

There are two ways in which you may express your support: (1) Purchase COBIT through the association(ISACA) Bookstore (please see the following pages for order form and association membership application.Association members are able to purchase COBIT at a significant discount); (2) Make a generous donation tothe IT Governance Institute, which conducts research and authors COBIT.

The complete COBIT package consists of all six publications, an ASCII text diskette, four COBIT implementation/orientation Microsoft® PowerPoint® presentations and a CD-ROM. A brief overview of each component is provided below. Thank you for your interest in and support of COBIT!

For additional information about the IT Governance Institute, visit www.itgi.org.

We invite your comments and suggestions regarding COBIT. Please visit www.isaca.org/cobitinput.

Management GuidelinesTo ensure a successful enterprise, you must effectively manage theunion between business processes and information systems. Thenew Management Guidelines is composed of maturity models, critical success factors, key goal indicators and key performanceindicators. These Management Guidelines will help answer thequestions of immediate concern to all those who have a stake inenterprise success.

Executive SummarySound business decisions are based on timely, relevant and con-cise information. Specifically designed for time-pressed seniorexecutives and managers, the COBIT Executive Summaryexplains COBIT’s key concepts and principles.

FrameworkA successful organization is built on a solid framework of dataand information. The Framework explains how IT processesdeliver the information that the business needs to achieve itsobjectives. This delivery is controlled through 34 high-levelcontrol objectives, one for each IT process, contained in thefour domains. The Framework identifies which of the seveninformation criteria (effectiveness, efficiency, confidentiality,integrity, availability, compliance and reliability), as well aswhich IT resources (people, applications, technology, facilitiesand data) are important for the IT processes to fully supportthe business objective.

Audit GuidelinesAnalyze, assess, interpret, react, implement. To achieve yourdesired goals and objectives you must constantly and consistentlyaudit your procedures. Audit Guidelines outlines and suggestsactual activities to be performed corresponding to each of the 34high-level IT control objectives, while substantiating the risk ofcontrol objectives not being met.

Control ObjectivesThe key to maintaining profitability in a technologically changingenvironment is how well you maintain control. COBIT’s ControlObjectives provides the critical insight needed to delineate a clearpolicy and good practice for IT controls. Included are the state-ments of desired results or purposes to be achieved byimplementing the 318 specific, detailed control objectivesthroughout the 34 high-level control objectives.

Implementation Tool SetThe Implementation Tool Set contains management awareness andIT control diagnostics, implementation guide, frequently askedquestions, case studies from organizations currently using COBITand slide presentations that can be used to introduce COBIT intoorganizations. The tool set is designed to facilitate the implementa-tion of COBIT, relate lessons learned from organizations thatquickly and successfully applied COBIT in their work environ-ments and assist management in choosing implementation options.

CD-ROMThe CD-ROM, which contains all of COBIT, is published as aFolio infobase. The material is accessed using Folio Views®, whichis a high-performance, information retrieval software tool. Accessto COBIT’s text and graphics is now easier than ever, with flexiblekeyword searching and built-in index links (optional purchase).

A network version (multi-user) of COBIT 3rd Edition is available. It is compatible with Microsoft Windows NT/2000 andNovell NetWare environments. Contact the ISACA Bookstore forpricing and availability.

See order form, donation information and membership application on the following pages.

Recent ITGI Research Projects

Risks of Customer Relationship ManagementA Security, control and Audit Approach, ISCR

Member - $75 Nonmember - $85

e-Commerce SecuritySecuring the Network Perimeter, TRS-3


e-Commerce SecurityBusiness Continuity Planning, IBCPMember - $35 Nonmember - $50

e-Commerce SecurityPublic Key Infrastructure: Good Practices

for Secure Communications, TRS-2


For additional information on these publications and others offered through the Bookstore, please visit www.isaca.org/bookstore.

ITGI Contribution FormContributor: ______________________________________________

Address:_________________________________________________

________________________________________________________

City_________________________State/Province ________________

Zip/Postal Code ________________Country ____________________

Remitted by: _____________________________________________

Phone: __________________________________________________

E-mail: __________________________________________________

Contribution amount (US $):$25 (donor) $100 (Silver) $250 (Gold)

$500 (Platinum) Other US $_______

Check enclosed payable in US dollars to ITGI

Charge my: VISA MasterCard

American Express Diners Club

Card number____________________________Exp. Date _________

Name of cardholder: _______________________________________

Signature of cardholder: ____________________________________

Complete card billing address if different from address on left________________________________________________________

________________________________________________________

________________________________________________________U.S. Tax ID number: 95-3080691

Fax your credit card contribution to ITGI at +1.847.253.1443, or mail your contribution to:ITGI, 135 S. LaSalle Street, Department 1055, Chicago, IL 60674-1055 USA

Direct any questions to Scott Artman at +1.847.253.1545, ext. 459, or [email protected] you for supporting COBIT!

For information on the institute and contribution benefits see www.itgi.org

Security Provisioning:Managing Access in Extended Enterprises, ISSP


Name _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Date _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

ISACA Member: ❏ Yes ❏ No Member Number _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _If an ISACA Member, is this a change of address? ❏ Yes ❏ No

Company Name _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Address: ❏ Home ❏ Company ___________________________________________________________________________________________________

City _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ State/Province _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Country ________________________________ Zip/Mail Code ___________________

Phone Number ( ) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Fax Number ( ) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

E-mail Address _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Special Shipping Instructions or Remarks _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Code Title/Item Quantity Unit Price Total

All purchases are final. SubtotalAll prices are subject to change.

Illinois (USA) residents, add 8.25% sales tax, orTexas (USA) residents, add 6.25% sales tax

Shipping and Handling – see chart below

TOTAL

PAYMENT INFORMATION – PREPAYMENT REQUIRED❏ Payment enclosed. Check payable in U.S. dollars, drawn on U.S. bank, payable to the Information Systems Audit and Control Association.

❏ Charge to ❏ VISA ❏ MasterCard ❏ American Express ❏ Diners Club(Note: All payments by credit card will be processed in U.S. Dollars)

Account # _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Exp. Date _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Print Cardholder Name _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Signature of Cardholder _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Cardholder Billing Address if different than above _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Shipping and Handling RatesFor orders totaling Outside USA and Canada Within USA and CanadaUp to US$30 $7 $4US$30.01 - US$50 $12 $6US$50.01 - US$80 $17 $8US$80.01 - US$150 $22 $10Over US$150 15% of total 10% of total

Please send me information on: ❏ Association membership ❏ Certification ❏ Conferences ❏ Seminars ❏ Research Projects

Pricing and Order Form

ISACA BOOKSTORE

135 SOUTH LASALLE, DEPARTMENT 1055, CHICAGO, IL 60674-1055 USATELEPHONE: +1.847.253.1545, EXT. 401 FAX: +1.847.253.1443 E-MAIL: [email protected] SITE: www.isaca.org/bookstore

PDF

CODE ISACA Members Non-MembersComplete COBIT® 3rd Edition© CB3S $70 (text only)

CB3SC $115 (text and CD-ROM) $225 (text and CD-ROM)

Individual components are also available for purchase:CODE ISACA Members Non-Members

Executive Summary CB3E $3 $3Management Guidelines CB3M $40 $50Framework CB3F $15 $20Control Objectives CB3C $25 $30Audit Guidelines CB3A $50 $155Implementation Tool Set CB3I $15 $20

All prices are US dollars. Shipping is additional to all prices.

Send mail to■■ Home■■ Business

MEMBERSHIP APPLICATION

Current field of employment (check one)■■ Financial■■ Banking■■ Insurance■■ Transportation■■ Retail & Wholesale■■ Government/National■■ Government/State/Local■■ Consulting■■ Education/Student■■ Education/Instructor■■ Public Accounting■■ Manufacturing■■ Mining/Construction/Petroleum■■ Utilities■■ Other Service Industry■■ Law■■ Health Care■■ Other

Date of Birth________________________MONTH/DAY/YEAR

Level of education achieved(indicate degree achieved, or number of years ofuniversity education if degree not obtained)■■ One year or less ■■ AS■■ Two years ■■ BS/BA■■ Three years ■■ MS/MBA/Masters■■ Four years ■■ Ph.D.■■ Five years ■■ Other■■ Six years or more ______________

Certifications obtained (other than CISA) ■■ CISM ■■ FCA■■ CPA ■■ CFE■■ CA ■■ MA■■ CIA ■■ FCPA■■ CBA ■■ CFSA■■ CCP ■■ CISSP■■ CSP ■■ Other __________

Work experience(check the number of years of InformationSystems work experience)■■ No experience ■■ 8-9 years■■ 1-3 years ■■ 10-13 years■■ 4-7 years ■■ 14 years or more

Current professional activity (check one)■■ CEO■■ CFO■■ CIO/IS Director■■ Audit Director/General Auditor■■ IS Security Director■■ IS Audit Manager■■ IS Security Manager■■ IS Manager■■ IS Auditor■■ External Audit Partner/Manager■■ External Auditor■■ Internal Auditor■■ IS Security Staff■■ IS Consultant■■ IS Vendor/Supplier■■ IS Educator/Student■■ Other ____________________________

Payment due • Association dues ✝ $ 120.00 (US)• Chapter dues (see following page) $ _____ (US)• New member processing fee $ 30.00 (US)*

PLEASE PAY THIS TOTAL $ _____ (US)✝ For student membership information please visit www.isaca.org/student

* Membership dues consist of association dues, chapter dues and new member processing fee.

Method of payment■■ Check payable in US dollars, drawn on US bank■■ Send invoice (Applications cannot be processed until dues payment is received.)■■ MasterCard ■■ VISA ■■ American Express ■■ Diners Club

All payments by credit card will be processed in US dollars

ACCT # ____________________________________________

Print name of cardholder _______________________________

Expiration date_______________________________________MONTH/YEAR

Signature ___________________________________________

Cardholder billing address if different than address provided above:

___________________________________________________

___________________________________________________

By applying for membership in the Information Systems Audit and ControlAssociation, members agree to hold the association and the IT GovernanceInstitute, their officers, directors, agents, trustees, and employees and members,harmless for all acts or failures to act while carrying out the purpose of the association and the institute as set forth in their respective bylaws, and they certify that they will abide by the association’s Code of Professional Ethics(www.isaca.org/ethics).

Initial payment entitles new members to membership beginning the first day ofthe month following the date payment is received by International Headquartersthrough the end of that year. No rebate of dues is available upon early resignationof membership.

Contributions, dues or gifts to the Information Systems Audit and ControlAssociation are not tax deductible as charitable contributions in the United States.However, they may be tax deductible as ordinary and necessary businessexpenses.

Membership dues allocated to a 1-year subscription to the IS Control Journal areas follows: $45 for US members, $60 for non-US members. This amount is notdeductible from dues.

Make checks payable to:Information Systems Audit and Control AssociationMail your application and check to:Information Systems Audit and Control Association135 S. LaSalle, Dept. 1055Chicago, IL 60674-1055 USAPhone: +1.847.253.1545 x470Fax: +1.847.253.1443

□ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date ____________________________MONTH/DAY/YEAR

Name_______________________________________________________________________________________________________FIRST MIDDLE LAST/FAMILY

____________________________________________________________________________________________________________PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE

Residence address ____________________________________________________________________________________________STREET

____________________________________________________________________________________________CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Residence phone _____________________________________ Residence facsimile ____________________________________AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

Company name ____________________________________________________________________________________________

Business address ____________________________________________________________________________________________STREET

____________________________________________________________________________________________CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Business phone _____________________________________ Business facsimile _____________________________________AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

E-mail ________________________________________________________

123456789

101112131415161799

1234567

89

1011121399

123456

123

456

789

1099

123456789

1011121314151699

Please complete both sidesU.S. Federal I.D. No. [email protected]

Form of Membership requested■■ Chapter Number (see reverse)________________■■ Member at large (no chapter within 50 miles/80 km)■■ Student (must be verified as full-time)■■ Retired (no longer seeking employment)

How did you hear about ISACA?1 ■■ Friend/Coworker2 ■■ Employer3 ■■ Internet Search4 ■■ IS Control Journal5 ■■ Other Publication

6 ■■ Local Chapter7 ■■ CISA Program8 ■■ Direct Mail9 ■■ Educational Event

■■ I do not want to be included ona mailing list, other than that forAssociation mailings.

✳ Call chapter for information

U.S. dollar amounts listed below are for local chapter dues. While correct at the time of printing, chapter dues are subject tochange without notice. Please include the appropriate chapter duesamount with your remittance.

For current chapter dues, or if the amount is not listed below, pleasevisit the web site www.isaca.org/chapdues or contact your localchapter at www.isaca.org/chapters.

ASIAHong Kong 64 $40Bangalore, India 138 $15Cochin, India 176 $10Coimbatore, India 155 $10Hyderabad, India 164 $17Kolkata, India 165 ✳Madras, India (Chennai) 99 $10Mumbai, India 145 ✳New Delhi, India 140 $10Pune, India 159 $17Indonesia 123 ✳Nagoya, Japan 118 $130Osaka, Japan 103 $10Tokyo, Japan 89 $120Korea 107 $30Lebanon 181 $35Malaysia 93 $10Muscat, Oman 168 $40Karachi, Pakistan 148 $15Manila, Philippines 136 $0Jeddah, Saudi Arabia 163 $0Riyadh, Saudi Arabia 154 $0Singapore 70 $10Sri Lanka 141 $15Taiwan 142 $50Bangkok, Thailand 109 $10UAE 150 $10

CENTRAL/SOUTH AMERICABuenos Aires, Argentina 124 $35Mendoza, Argentina 144 ✳São Paulo, Brazil 166 $25LaPaz, Bolivia 173 $25Santiago de Chile 135 $40Bogotá, Colombia 126 $50San José, Costa Rica 31 $33Quito, Ecuador 179 $15Mérida, Yucatán, México 101 $50Mexico City, México 14 $65Monterrey, México 80 $65Panamá 94 $25Lima, Perú 146 $15Puerto Rico 86 $30Montevideo, Uruguay 133 $100Venezuela 113 $25

EUROPE/AFRICAAustria 157 $45Belux 143 $48(Belgium and Luxembourg)Croatia 170 $50Czech Republic 153 $110Denmark 96 ✳Estonian 162 $10Finland 115 $70Paris, France 75 ✳German 104 $80Athens, Greece 134 $20Budapest, Hungary 125 $60Irish 156 $40Tel-Aviv, Israel 40 ✳Milano, Italy 43 $53Rome, Italy 178 $26

Kenya 158 $40Latvia 139 $10Lithuania 180 $20Netherlands 97 $50Lagos, Nigeria 149 $20Oslo, Norway 74 $50Warsaw, Poland 151 $30Moscow, Russia 167 $0Romania 172 $50Slovenia 137 $50Slovensko 160 $40South Africa 130 $35Barcelona, Spain 171 $110Valencia, Spain 182 $25Sweden 88 $45Switzerland 116 $35Tanzania 174 $40London, UK 60 $80Central UK 132 $55Northern England 111 $50Scottish, UK 175 $45

NORTH AMERICACanadaCalgary, AB 121 $0Edmonton, AB 131 $25Vancouver, BC 25 $20Victoria, BC 100 $0Winnipeg, MB 72 $15Nova Scotia 105 $0Ottawa Valley, ON 32 $10Toronto, ON 21 $25Montreal, PQ 36 $20Quebec City, PQ 91 $35

IslandsBermuda 147 $0Trinidad & Tobago 106 $25

Midwestern United StatesChicago, IL 02 $50Illini (Springfield, IL) 77 $30Central Indiana 56 $30(Indianapolis)Michiana (South Bend, IN) 127 $25Iowa (Des Moines) 110 $25Kentuckiana (Louisville, KY) 37 $30Detroit, MI 08 $35Western Michigan 38 $25(Grand Rapids)Minnesota (Minneapolis) 07 $30Omaha, NE 23 $30Central Ohio (Columbus) 27 $25Greater Cincinnati, OH 03 $20Northeast Ohio (Cleveland) 26 $30Kettle Moraine, WI 57 $25(Milwaukee)Quad Cities 169 $0

Northeastern United StatesGreater Hartford, CT 28 $40(Southern New England)Central Maryland 24 $25(Baltimore)

New England (Boston, MA) 18 $30New Jersey (Newark) 30 $40Central New York 29 $0(Syracuse)Hudson Valley, NY 120 $0(Albany)New York Metropolitan 10 $50Western New York 46 $30(Buffalo)Harrisburg, PA 45 $25Lehigh Valley 122 $35(Allentown, PA)Philadelphia, PA 06 $40Pittsburgh, PA 13 $20National Capital Area, DC 05 $40

Southeastern United StatesNorth Alabama (Birmingham)65 $30Jacksonville, FL 58 $30Central Florida (Orlando) 67 $30South Florida (Miami) 33 $40West Florida (Tampa) 41 $35Atlanta, GA 39 $35Charlotte, NC 51 $35Research Triangle 59 $25(Raleigh, NC)Piedmont/Triad 128 $30(Winston-Salem, NC)Greenville, SC 54 $30Memphis, TN 48 $45Middle Tennessee 102 $45(Nashville)Virginia (Richmond) 22 $30

Southwestern United StatesCentral Arkansas 82 $60(Little Rock)Central Mississippi 161 $0(Jackson)

Denver, CO 16 $40Greater Kansas City, KS 87 $0Baton Rouge, LA 85 $25Greater New Orleans, LA 61 $20St. Louis, MO 11 $25New Mexico (Albuquerque) 83 $25Central Oklahoma (OK City) 49 $30Tulsa, OK 34 $25Austin, TX 20 $25Greater Houston Area, TX 09 $40North Texas (Dallas) 12 $30San Antonio/So. Texas 81 $25

Western United StatesAnchorage, AK 177 $20Phoenix, AZ 53 $30Los Angeles, CA 01 $25Orange County, CA 79 $30(Anaheim)Sacramento, CA 76 $20San Francisco, CA 15 $45San Diego, CA 19 $25Silicon Valley, CA 62 $25(Sunnyvale)Hawaii (Honolulu) 71 $30

Boise, ID 42 $30Willamette Valley, OR 50 $30(Portland)Utah (Salt Lake City) 04 $30Mt. Rainier, WA (Olympia) 129 $20Puget Sound, WA (Seattle) 35 $25

OCEANIAAdelaide, Australia 68 $0Brisbane, Australia 44 $16Canberra, Australia 92 $15Melbourne, Australia 47 $25Perth, Australia 63 $5Sydney, Australia 17 $30Auckland, New Zealand 84 $30Wellington, New Zealand 73 $22Papua New Guinea 152 $0

To receive your copy of theInformation Systems Control Journal,please complete the following subscriber information:

Size of organization(at your primary place of business)➀ ■■ Fewer than 50 employees➁ ■■ 50-100 employess➂ ■■ 101-500 employees➃ ■■ More than 500 employees

Size of your professional audit staff(local office)➀ ■■ 1 individual➁ ■■ 2-5 individuals➂ ■■ 6-10 individuals➃ ■■ 11-25 individuals➄ ■■ More than 25 individuals

Your level of purchasing authority➀ ■■ Recommend products/services➁ ■■ Approve purchase➂ ■■ Recommend and approve

purchase

Education courses attended annually (check one)➀ ■■ None➁ ■■ 1➂ ■■ 2-3➃ ■■ 4-5➄ ■■ More than 5

Conferences attended annually(check one)➀ ■■ None➁ ■■ 1➂ ■■ 2-3➃ ■■ 4-5➄ ■■ More than 5

Primary reason for joining the association (check one)➀ ■■ Discounts on association

products and services➁ ■■ Subscription to IS Control Journal➂ ■■ Professional advancement/

certification➃ ■■ Access to research, publications,

and education99 ■■ Other___________________

Chapter ChapterName Number Dues




Certified Information Systems Auditor (CISA)The CISA program is designed to assess and certify individuals in theIS audit, control and security profession who demonstrate exception-al skill and judgment.

The CISA examination content areas include:• The IS audit process • Management, planning and organization of IS • Technical infrastructure and operational practices • Protection of information assets • Disaster recovery and business continuity • Business application system development, acquisition,implementation and maintenance

• Business process evaluation and risk management

To earn the CISA designation, candidates are required to:• Successfully complete the CISA examination• Adhere to the Information Systems Audit and Control Association (ISACA) Code of Professional Ethics

• Submit verified evidence of a minimum number of years of professional information systems auditing, control or security work experience

• Comply with the CISA continuing education program (after becoming certified)

One of the most important assets of an enterprise is its information. The integrity and reliability of

that information and the systems that generate it are crucial to an enterprise’s success. Faced with

complex and correspondingly ingenious cyberthreats, organizations are looking for individuals who

have the proven experience and knowledge to identify, evaluate and recommend solutions to mitigate

IT system vulnerabilities. ISACA offers two certifications to meet these needs.

Certification

Certified Information Security Manager (CISM)CISM is a newly created credential for security managers that pro-vides executive management with the assurance that those certifiedhave the expertise to provide effective security management andconsulting. It is business-oriented and focused on information riskmanagement while addressing management, design and technicalsecurity issues at a conceptual level.

The CISM credential measures expertise in the areas of:• Information security governance• Risk management• Information security program(me) development• Information security management• Response management

To earn the CISM designation, information security professionals arerequired to:• Successfully complete the CISM examination• Adhere to the Information Systems Audit and Control Association (ISACA) Code of Professional Ethics

• Submit verified evidence of a minimum number of years of information security experience, with a number of those years in the job analysis domains

• Comply with the CISM continuing education program (after becoming certified)

A grandfathering opportunity, available through 31 December 2003,allows information security professionals with the necessary experi-ence to apply for certification without taking the CISM exam.

Being a CISA or a CISM is more than passing an examination. It demonstrates the commitment, dedication and proficiency required to excel in your profession. These certifications identify their holders as consummate professionals who maintain a competitive advantage among their peers. Earning these designations helps assure a positive reputation and distinguishes you among other candidates seeking positions inboth the private and public sectors. As a member of ISACA, you have the opportunity to sit for the exams, purchase review materials and attend ISACA conferences to maintainyour certifications at a substantially reduced cost.

For more information on becoming a CISA or a CISM, visit the ISACA web site atwww.isaca.org/certification.

COBIT®

3rd Edition

Control Objectives

July 2000

Released by the COBIT Steering Committee and the IT Governance InstituteTM

The COBIT Mission:To research, develop, publicise and promote an authoritative, up-to-date,

international set of generally accepted information technology control objectivesfor day-to-day use by business managers and auditors.

AMERICAN SAMOAARGENTINAARMENIAAUSTRALIAAUSTRIABAHAMASBAHRAINBANGLADESHBARBADOSBELGIUMBERMUDABOLIVIABOTSWANABRAZILBRITISH VIRGIN ISLANDSCANADACAYMAN ISLANDSCHILECHINACOLOMBIACOSTA RICACROATIACURACAOCYPRUSCZECH REPUBLICDENMARKDOMINICAN REPUBLICECUADOREGYPTEL SALVADORESTONIAFAEROE ISLANDSFIJIFINLANDFRANCEGERMANYGHANAGREECEGUAMGUATEMALAHONDURASHONG KONGHUNGARYICELANDINDIAINDONESIAIRANIRELANDISRAELITALYIVORY COASTJAMAICAJAPANJORDANKAZAKHSTANKENYAKOREAKUWAIT

LATVIALEBANON

LIECHTENSTEINLITHUANIA

LUXEMBURGMALAYSIA

MALTAMALAWI

MAURITIUSMEXICO

NAMIBIANEPAL

NETHERLANDSNEW GUINEA

NEW ZEALANDNICARAGUA

NIGERIANORWAY

OMANPAKISTANPANAMA

PARAGUAYPERU

PHILIPPINESPOLAND

PORTUGALQATARRUSSIA

SAUDI ARABIASCOTLANDSEYCHELLESSINGAPORE

SLOVAK REPUBLICSLOVENIA

SOUTH AFRICASPAIN

SRI LANKAST. KITTSST. LUCIASWEDEN

SWITZERLANDTAIWAN

TANZANIATASMANIATHAILAND

TRINIDAD & TOBAGOTUNISIATURKEY

UGANDAUNITED ARAB EMIRATES

UNITED KINGDOMUNITED STATES

URUGUAYVENEZUELA

VIETNAMWALES

YUGOSLAVIAZAMBIA

ZIMBABWE

The Information Systems Audit and

Control Association is a leading global

professional organisation representing

individuals in more than 100 countries

and comprising all levels of IT —

executive, management, middle

management and practitioner. The

Association is uniquely positioned to

fulfil the role of a central, harmonising

source of IT control practice standards for

the world over. Its strategic alliances with

other groups in the financial, accounting,

auditing and IT professions are ensuring

an unparalleled level of integration and

commitment by business process owners.

Association Programmes

and ServicesThe Association’s services and programmes

have earned distinction by establishing

the highest levels of excellence in

certification, standards, professional

education and technical publishing.

• Its certification programme (the Certified

Information Systems AuditorTM) is the

only global designation throughout the

IT audit and control community.

• Its standards activities establish the

quality baseline by which other IT

audit and control activities are

measured.

• Its professional education programme

offers technical and management

conferences on five continents, as well

as seminars worldwide to help

professionals everywhere receive high-

quality continuing education.

• Its technical publishing area provides

references and professional

development materials to augment its

distinguished selection of programmes

and services.

The Information Systems Audit and

Control Association was formed in 1969

to meet the unique, diverse and high

technology needs of the burgeoning IT

field. In an industry in which progress is

measured in nano-seconds, ISACA has

moved with agility and speed to bridge

the needs of the international business

community and the IT controls profession.

For More InformationTo receive additional information, you

may telephone (+1.847.253.1545), send

an e-mail ([email protected]) or visit

these web sites:

www.ITgovernance.org

www.isaca.org

INFORMATION SYSTEMS AUDIT ANDCONTROL ASSOCIATION

A Single International Source for Information Technology Controls

Acknowledgments 4

Executive Overview 5-7

The COBIT Framework 8-12

The Framework’s Principles 13-17

COBIT History and Background 18-19

Control Objectives—Summary Table 20

The Control Objectives’ Principles 21

Control Objectives Navigation Overview 22

Control Objective Relationships:Domain, Processes and Control Objectives 23-27

Control Objectives 29

Planning and Organisation ................................31-68 Acquisition and Implementation .......................69-88 Delivery and Support ......................................89-124 Monitoring.....................................................125-134

Appendix I

IT Governance Management Guideline ........137-140

Appendix II

COBIT Project Description....................................141

Appendix III

COBIT Primary Reference Material...............142-143

Appendix IV

Glossary of Terms.................................................144

Index 145-148

TABLE OF CONTENTSDisclaimerThe Information Systems Audit and Control Foundation, ITGovernance Institute and the sponsors of COBIT: Control Objectivesfor Information and related Technology have designed and createdthe publications entitled Executive Summary, Framework, ControlObjectives, Management Guidelines, Audit Guidelines andImplementation Tool Set (collectively, the “Works”) primarily as aneducational resource for controls professionals. The InformationSystems Audit and Control Foundation, IT Governance Institute andthe sponsors make no claim that use of any of the Works will assurea successful outcome. The Works should not be considered inclusiveof any proper procedures and tests or exclusive of other proceduresand tests that are reasonably directed to obtaining the same results.In determining the propriety of any specific procedure or test, thecontrols professional should apply his or her own professional judg-ment to the specific control circumstances presented by the particularsystems or IT environment.

Disclosure and Copyright NoticeCopyright © 1996, 1998, 2000 by the Information Systems Audit andControl Foundation (ISACF). Reproduction for commercial purpose isnot permitted without ISACF’s prior written permission. Permission ishereby granted to use and copy the Executive Summary, Framework,Control Objectives, Management Guidelines and Implementation ToolSet for non-commercial, internal use, including storage in a retrievalsystem and transmission by any means including, electronic, mechani-cal, recording or otherwise. All copies of the Executive Summary,Framework, Control Objectives, Management Guidelines andImplementation Tool Set must include the following copyright noticeand acknowledgment: “Copyright 1996, 1998, 2000 InformationSystems Audit and Control Foundation. Reprinted with the permissionof the Information Systems Audit and Control Foundation and ITGovernance Institute.”

The Audit Guidelines may not be used, copied, reproduced, modi-fied, distributed, displayed, stored in a retrieval system, or transmit-ted in any form by any means (electronic, mechanical, photocopying,recording or otherwise), except with ISACF’s prior written autho-rization; provided, however, that the Audit Guidelines may be usedfor internal non-commercial purposes only. Except as stated herein,no other right or permission is granted with respect to this work. Allrights in this work are reserved.

Information Systems Audit and Control FoundationIT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] sites: www.ITgovernance.org

www.isaca.org

ISBN 1-893209-17-2 (Control Objectives)ISBN 1-893209-13-X (Complete 6 book set with CD-ROM)

Printed in the United States of America.

CONTROL OBJECTIVES

3I T G O V E R N A N C E I N S T I T U T E

I T G O V E R N A N C E I N S T I T U T E4

COBIT STEERING COMMITTEE

Erik Guldentops, S.W.I.F.T. sc, Belgium

John Lainhart, PricewaterhouseCoopers, USA

Eddy Schuermans, PricewaterhouseCoopers, Belgium

John Beveridge, State Auditor’s Office, Massachusetts, USA

Michael Donahue, PricewaterhouseCoopers, USA

Gary Hardy, Arthur Andersen, United Kingdom

Ronald Saull, Great-West Life Assurance, London Life and Investors Group, Canada

Mark Stanley, Sun America Inc., USA

ACKNOWLEDGMENTS

SPECIAL THANKS to the ISACA Boston and National Capital Area Chapters fortheir contributions to the COBIT Control Objectives.

SPECIAL THANKS to the members of the Board of the Information Systems Auditand Control Association and Trustees of the Information Systems Audit andControl Foundation, headed by International President Paul Williams, for theircontinuing and unwavering support of COBIT.

CONTROL OBJECTIVES


Critically important to the survival and success of anorganisation is effective management of information and

related Information Technology (IT). In this global informa-tion society—where information travels through cyberspacewithout the constraints of time, distance and speed—this criticality arises from the:

• Increasing dependence on information and the systemsthat deliver this information

• Increasing vulnerabilities and a wide spectrum ofthreats, such as cyber threats and information warfare

• Scale and cost of the current and future investments ininformation and information systems

• Potential for technologies to dramatically change organi-sations and business practices, create new opportunitiesand reduce costs

For many organisations, information and the technology thatsupports it represent the organisation’s most valuable assets.Moreover, in today’s very competitive and rapidly changingbusiness environment, management has heightened expecta-tions regarding IT delivery functions: management requiresincreased quality, functionality and ease of use; decreaseddelivery time; and continuously improving service levels—while demanding that this be accomplished at lower costs.

Many organisations recognise the potential benefits thattechnology can yield. Successful organisations, however,understand and manage the risks associated with imple-menting new technologies.

There are numerous changes in IT and its operating environ-ment that emphasise the need to better manage IT-relatedrisks. Dependence on electronic information and IT systemsis essential to support critical business processes. In addition,the regulatory environment is mandating stricter control overinformation. This, in turn, is driven by increasing disclosuresof information system disasters and increasing electronicfraud. The management of IT-related risks is now beingunderstood as a key part of enterprise governance.

Within enterprise governance, IT governance is becomingmore and more prominent, and is defined as a structure ofrelationships and processes to direct and control the enter-prise in order to achieve the enterprise’s goals by addingvalue while balancing risk versus return over IT and itsprocesses. IT governance is integral to the success of enter-prise governance by assuring efficient and effective measur-able improvements in related enterprise processes. IT gover-nance provides the structure that links IT processes, ITresources and information to enterprise strategies and objec-tives. Furthermore, IT governance integrates and institution-alises good (or best) practices of planning and organising,

acquiring and implementing, delivering and supporting, andmonitoring IT performance to ensure that the enterprise’sinformation and related technology support its businessobjectives. IT governance thus enables the enterprise to takefull advantage of its information, thereby maximising bene-fits, capitalising on opportunities and gaining competitiveadvantage.

IT GOVERNANCE

A structure of relationships and processes to directand control the enterprise in order to achieve theenterprise’s goals by adding value while balancing riskversus return over IT and its processes.

Organisations must satisfy the quality, fiduciary and secu-rity requirements for their information, as for all assets.

Management must also optimise the use of availableresources, including data, application systems, technology,facilities and people. To discharge these responsibilities, aswell as to achieve its objectives, management must under-stand the status of its own IT systems and decide what secu-rity and control they should provide.

Control Objectives for Information and related Technology(COBIT), now in its 3rd edition, helps meet the multiple needsof management by bridging the gaps between business risks,control needs and technical issues. It provides good practicesacross a domain and process framework and presents activi-ties in a manageable and logical structure. COBIT’s “goodpractices” means consensus of the experts—they will helpoptimise information investments and will provide a measureto be judged against when things do go wrong.

Management must ensure that an internal control system orframework is in place which supports the business processes,makes it clear how each individual control activity satisfiesthe information requirements and impacts the IT resources.Impact on IT resources is highlighted in the COBITFramework together with the business requirements foreffectiveness, efficiency, confidentiality, integrity, availabili-ty, compliance and reliability of information that need to besatisfied. Control, which includes policies, organisationalstructures, practices and procedures, is management’sresponsibility. Management, through its enterprise gover-nance, must ensure that due diligence is exercised by all indi-viduals involved in the management, use, design, develop-ment, maintenance or operation of information systems. AnIT control objective is a statement of the desired result orpurpose to be achieved by implementing control procedureswithin a particular IT activity.

EXECUTIVE OVERVIEW


Business orientation is the main theme of COBIT. It isdesigned to be employed not only by users and auditors,

but also, and more importantly, as comprehensive guidancefor management and business process owners. Increasingly,business practice involves the full empowerment of businessprocess owners so they have total responsibility for allaspects of the business process. In particular, this includesproviding adequate controls.

The COBIT Framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility. The Framework starts from a simple and pragmaticpremise:

In order to provide the information that the organisationneeds to achieve its objectives, IT resources need to bemanaged by a set of naturally grouped processes.

The Framework continues with a set of 34 high-level ControlObjectives, one for each of the IT processes, grouped intofour domains: planning and organisation, acquisition andimplementation, delivery and support, and monitoring. Thisstructure covers all aspects of information and the technolo-gy that supports it. By addressing these 34 high-level controlobjectives, the business process owner can ensure that anadequate control system is provided for the IT environment.

IT governance guidance is also provided in the COBITFramework. IT governance provides the structure that

links IT processes, IT resources and information to enterprisestrategies and objectives. IT governance integrates optimalways of planning and organising, acquiring and implement-ing, delivering and supporting, and monitoring IT perfor-mance. IT governance enables the enterprise to take fulladvantage of its information, thereby maximising benefits,capitalising on opportunities and gaining competitive advan-tage.

In addition, corresponding to each of the 34 high-level con-trol objectives is an Audit Guideline to enable the review ofIT processes against COBIT’s 318 recommended detailedcontrol objectives to provide management assurance and/oradvice for improvement.

The Management Guidelines, COBIT’s most recent devel-opment, further enhances and enables enterprise manage-

ment to deal more effectively with the needs and require-ments of IT governance. The guidelines are action orientedand generic and provide management direction for gettingthe enterprise’s information and related processes under con-trol, for monitoring achievement of organisational goals, formonitoring performance within each IT process and forbenchmarking organisational achievement.

Specifically, COBIT provides Maturity Models for controlover IT processes, so that management can map where theorganisation is today, where it stands in relation to the best-in-class in its industry and to international standards andwhere the organisation wants to be; Critical SuccessFactors, which define the most important management-ori-ented implementation guidelines to achieve control over andwithin its IT processes; Key Goal Indicators, which definemeasures that tell management—after the fact—whether anIT process has achieved its business requirements; and KeyPerformance Indicators, which are lead indicators thatdefine measures of how well the IT process is performing inenabling the goal to be reached.

COBIT’s Management Guidelines are generic andaction oriented for the purpose of answering the fol-lowing types of management questions: How farshould we go, and is the cost justified by the benefit?What are the indicators of good performance? Whatare the critical success factors? What are the risks ofnot achieving our objectives? What do others do? Howdo we measure and compare?

COBIT also contains an Implementation Tool Set that provideslessons learned from those organisations that quickly andsuccessfully applied COBIT in their work environments. Ithas two particularly useful tools—Management AwarenessDiagnostic and IT Control Diagnostic—to assist in analysingan organisation’s IT control environment.

Over the next few years, the management of organisationswill need to demonstrably attain increased levels of securityand control. COBIT is a tool that allows managers to bridgethe gap with respect to control requirements, technical issuesand business risks and communicate that level of control tostakeholders. COBIT enables the development of clear policyand good practice for IT control throughout organisations,worldwide. Thus, COBIT is designed to be the break-through IT governance tool that helps in understandingand managing the risks and benefits associated withinformation and related IT.

CONTROL OBJECTIVES


PO1 define a strategic IT planPO2 define the information architecturePO3 determine the technological directionPO4 define the IT organisation and relationshipsPO5 manage the IT investment PO6 communicate management aims and directionPO7 manage human resourcesPO8 ensure compliance with external requirementsPO9 assess risksPO10 manage projectsPO11 manage quality

AI1 identify automated solutionsAI2 acquire and maintain application softwareAI3 acquire and maintain technology infrastructure AI4 develop and maintain proceduresAI5 install and accredit systemsAI6 manage changes

DS1 define and manage service levelsDS2 manage third-party servicesDS3 manage performance and capacityDS4 ensure continuous serviceDS5 ensure systems securityDS6 identify and allocate costsDS7 educate and train usersDS8 assist and advise customersDS9 manage the configurationDS10 manage problems and incidentsDS11 manage dataDS12 manage facilitiesDS13 manage operations

M1 monitor the processesM2 assess internal control adequacyM3 obtain independent assuranceM4 provide for independent audit

effectivenessefficiencyconfidentialityintegrityavailabilitycompliancereliability

INFORMATION

ACQUISITION &IMPLEMENTATION

DELIVERY &SUPPORT

MONITORING PLANNING &ORGANISATION

peopleapplication systemstechnologyfacilitiesdata

IT RESOURCES

BUSINESS OBJECTIVES

IT GOVERNANCE

COBIT IT PROCESSES DEFINED WITHIN THE FOUR DOMAINS


THE NEED FOR CONTROL ININFORMATION TECHNOLOGYIn recent years, it has become increasingly evident thatthere is a need for a reference framework for security andcontrol in IT. Successful organisations require an appreci-ation for and a basic understanding of the risks and constraints of IT at all levels within the enterprise inorder to achieve effective direction and adequate controls.

MANAGEMENT has to decide what to reasonablyinvest for security and control in IT and how to balancerisk and control investment in an often unpredictable ITenvironment. While information systems security andcontrol help manage risks, they do not eliminate them.In addition, the exact level of risk can never be knownsince there is always some degree of uncertainty.Ultimately, management must decide on the level of riskit is willing to accept. Judging what level can be tolerat-ed, particularly when weighted against the cost, can be adifficult management decision. Therefore, managementclearly needs a framework of generally accepted ITsecurity and control practices to benchmark the existingand planned IT environment.

There is an increasing need for USERS of IT services tobe assured, through accreditation and audit of IT ser-vices provided by internal or third parties, that adequatesecurity and control exists. At present, however, theimplementation of good IT controls in information sys-tems, be they commercial, non-profit or governmental,is hampered by confusion. The confusion arises from thedifferent evaluation methods such as ITSEC, TCSEC,IS0 9000 evaluations, emerging COSO internal controlevaluations, etc. As a result, users need a general foun-dation to be established as a first step.

Frequently, AUDITORS have taken the lead in suchinternational standardisation efforts because they arecontinuously confronted with the need to substantiatetheir opinion on internal control to management.Without a framework, this is an exceedingly difficulttask. Furthermore, auditors are increasingly being calledon by management to proactively consult and advise onIT security and control-related matters.

THE COBIT FRAMEWORK

THE BUSINESS ENVIRONMENT:COMPETITION, CHANGE AND COST Global competition is here. Organisations are restructur-ing to streamline operations and simultaneously takeadvantage of the advances in IT to improve their compet-itive position. Business re-engineering, right-sizing, out-sourcing, empowerment, flattened organisations and dis-tributed processing are all changes that impact the waythat business and governmental organisations operate.These changes are having, and will continue to have,profound implications for the management and opera-tional control structures within organisations worldwide.

Emphasis on attaining competitive advantage and cost-efficiency implies an ever-increasing reliance on tech-nology as a major component in the strategy of mostorganisations. Automating organisational functions is, byits very nature, dictating the incorporation of more pow-erful control mechanisms into computers and networks,both hardware-based and software-based. Furthermore,the fundamental structural characteristics of these con-trols are evolving at the same rate and in the same “leapfrog” manner as the underlying computing and network-ing technologies are evolving.

Within the framework of accelerated change, if man-agers, information systems specialists and auditors areindeed going to be able to effectively fulfil their roles,their skills must evolve as rapidly as the technology andthe environment. One must understand the technologyof controls involved and its changing nature if one is toexercise reasonable and prudent judgments in evaluatingcontrol practices found in typical business or govern-mental organisations.

EMERGENCE OF ENTERPRISE AND IT GOVERNANCETo achieve success in this information economy, enter-prise governance and IT governance can no longer beconsidered separate and distinct disciplines. Effectiveenterprise governance focuses individual and groupexpertise and experience where it can be most produc-tive, monitors and measures performance and providesassurance to critical issues. IT, long considered solely an

CONTROL OBJECTIVES


enabler of an enterprise’s strategy, must now be regard-ed as an integral part of that strategy.

IT governance provides the structure that links ITprocesses, IT resources, and information to enterprisestrategies and objectives. IT governance integrates andinstitutionalises optimal ways of planning and organis-ing, acquiring and implementing, delivering and sup-porting, and monitoring IT performance. IT governanceis integral to the success of enterprise governance byassuring efficient and effective measurable improve-ments in related enterprise processes. IT governanceenables the enterprise to take full advantage of its infor-mation, thereby maximising benefits, capitalising onopportunities and gaining competitive advantage.

Looking at the interplay of enterprise and IT governanceprocesses in more detail, enterprise governance, the sys-tem by which entities are directed and controlled, drivesand sets IT governance. At the same time, IT shouldprovide critical input to, and constitute an importantcomponent of, strategic plans. IT may in fact influencestrategic opportunities outlined by the enterprise.

Enterprise activities require information from IT activi-ties in order to meet business objectives. Successfulorganisations ensure interdependence between theirstrategic planning and their IT activities. IT must be

aligned with and enable the enterprise to take full advan-tage of its information, thereby maximising benefits,capitalising on opportunities and gaining a competitiveadvantage.

Enterprises are governed by generally accepted good (orbest) practices, to ensure that the enterprise is achievingits goals-the assurance of which is guaranteed by certaincontrols. From these objectives flows the organisation’sdirection, which dictates certain enterprise activities,using the enterprise’s resources. The results of the enter-prise activities are measured and reported on, providinginput to the constant revision and maintenance of thecontrols, beginning the cycle again.

EnterpriseGovernance

drives and sets

InformationTechnologyGovernance

EnterpriseActivities

InformationTechnologyActivities

require information from

Enterprise GovernanceDIRECT

EnterpriseActivitiesObjectives Resources

REPORT

CONTROL

USING


IT also is governed by good (or best) practices, toensure that the enterprise’s information and related tech-nology support its business objectives, its resources areused responsibly and its risks are managed appropriate-ly. These practices form a basis for direction of IT activ-ities, which can be characterised as planning and organ-ising, acquiring and implementing, delivering and sup-

THE COBIT FRAMEWORK, continued

porting, and monitoring, for the dual purposes of man-aging risks (to gain security, reliability and compliance)and realising benefits (increasing effectiveness and effi-ciency). Reports are issued on the outcomes of IT activi-ties, which are measured against the various practicesand controls, and the cycle begins again.

IT GovernanceDIRECT

REPORT

IT ActivitiesObjectives

PLAN

DO

CHECK

CORRECT

• IT is aligned withthe business,enables thebusiness andmaximisesbenefits

• IT resources areused responsibly

• IT related risksare managedappropriately

• security• reliability• compliance

Manage risks Realise Benefits

DecreaseCosts - beefficient

Planning and Organisation

Acquisition and Implementation

Delivery and Support

Monitoring

IncreaseAutomation - be effective

CONTROL

In order to ensure that management reaches its business objectives, it must direct and manage IT activities toreach an effective balance between managing risks and realising benefits. To accomplish this, managementneeds to identify the most important activities to be performed, measure progress towards achieving goals anddetermine how well the IT processes are performing. In addition, it needs the ability to evaluate the organisa-tion’s maturity level against industry best practices and international standards. To support these manage-ment needs, the COBIT Management Guidelines have identified specific Critical Success Factors, KeyGoal Indicators, Key Performance Indicators and an associated Maturity Model for IT governance, aspresented in Appendix I.

CONTROL OBJECTIVES


RESPONSE TO THE NEED In view of these ongoing changes, the development ofthis framework for control objectives for IT, along withcontinued applied research in IT controls based on thisframework, are cornerstones for effective progress in thefield of information and related technology controls.

On the one hand, we have witnessed the developmentand publication of overall business control models likeCOSO (Committee of Sponsoring Organisations of theTreadway Commission-Internal Control—IntegratedFramework, 1992) in the US, Cadbury in the UK, CoCoin Canada and King in South Africa. On the other hand,an important number of more focused control modelsare in existence at the level of IT. Good examples of thelatter category are the Security Code of Conduct fromDTI (Department of Trade and Industry, UK),Information Technology Control Guidelines from CICA(Canadian Institute of Chartered Accountants, Canada),and the Security Handbook from NIST (NationalInstitute of Standards and Technology, US). However,these focused control models do not provide a compre-hensive and usable control model over IT in support ofbusiness processes. The purpose of COBIT is to bridgethis gap by providing a foundation that is closely linkedto business objectives while focusing on IT.

(Most closely related to COBIT is the recently publishedAICPA/CICA SysTrustTM Principles and Criteria forSystems Reliability. SysTrust is an authoritativeissuance of both the Assurance Services ExecutiveCommittee in the United States and the AssuranceServices Development Board in Canada, based in parton the COBIT Control Objectives. SysTrust is designedto increase the comfort of management, customers andbusiness partners with the systems that support a busi-ness or a particular activity. The SysTrust service entailsthe public accountant providing an assurance service inwhich he or she evaluates and tests whether a system isreliable when measured against four essential principles:availability, security, integrity and maintainability.)

A focus on the business requirements for controls in ITand the application of emerging control models and

related international standards evolved the originalInformation Systems Audit and Control Foundation’sControl Objectives from an auditor’s tool to COBIT, amanagement tool. Further, the development of ITManagement Guidelines has taken COBIT to the nextlevel-providing management with Key Goal Indicators(KGIs), Key Performance Indicators (KPIs), CriticalSuccess Factors (CSFs) and Maturity Models so that itcan assess its IT environment and make choices for con-trol implementation and control improvements over theorganisation’s information and related technology.

Hence, the main objective of the COBIT project is thedevelopment of clear policies and good practices forsecurity and control in IT for worldwide endorsement bycommercial, governmental and professional organisa-tions. It is the goal of the project to develop these con-trol objectives primarily from the business objectivesand needs perspective. (This is compliant with theCOSO perspective, which is first and foremost a man-agement framework for internal controls.) Subsequently,control objectives have been developed from the auditobjectives (certification of financial information, certifi-cation of internal control measures, efficiency and effec-tiveness, etc.) perspective.

AUDIENCE: MANAGEMENT, USERS AND AUDITORSCOBIT is designed to be used by three distinct audiences.

MANAGEMENT:to help them balance risk and control investment in anoften unpredictable IT environment.

USERS:to obtain assurance on the security and controls of ITservices provided by internal or third parties.

AUDITORS:to substantiate their opinions and/or provide advice tomanagement on internal controls.


THE COBIT FRAMEWORK, continued

BUSINESS OBJECTIVES ORIENTATIONCOBIT is aimed at addressing business objectives. Thecontrol objectives make a clear and distinct link to busi-ness objectives in order to support significant use out-side the audit community. Control objectives are definedin a process-oriented manner following the principle ofbusiness re-engineering. At identified domains andprocesses, a high-level control objective is identified andrationale provided to document the link to the businessobjectives. In addition, considerations and guidelines are provided to define and implement the IT controlobjective.

The classification of domains where high-level controlobjectives apply (domains and processes), an indicationof the business requirements for information in thatdomain, as well as the IT resources primarily impactedby the control objectives, together form the COBITFramework. The Framework is based on the researchactivities that have identified 34 high-level controlobjectives and 318 detailed control objectives. TheFramework was exposed to the IT industry and the auditprofession to allow an opportunity for review, challengeand comment. The insights gained have been appropri-ately incorporated.

GENERAL DEFINITIONSFor the purpose of this project, the following definitionsare provided. “Control” is adapted from the COSOReport (Internal Control—Integrated Framework,Committee of Sponsoring Organisations of theTreadway Commission, 1992) and “IT ControlObjective” is adapted from the SAC Report (SystemsAuditability and Control Report, The Institute ofInternal Auditors Research Foundation, 1991 and 1994).

the policies, procedures, practicesand organisational structuresdesigned to provide reasonableassurance that business objectiveswill be achieved and that undesiredevents will be prevented or detect-ed and corrected.

a statement of the desired result orpurpose to be achieved by imple-menting control procedures in aparticular IT activity.

a structure of relationships andprocesses to direct and control theenterprise in order to achieve theenterprise’s goals by adding valuewhile balancing risk versus returnover IT and its processes.

Control is defined as

IT Control Objectiveis defined as

IT Governanceis defined as

CONTROL OBJECTIVES


THE FRAMEWORK’S PRINCIPLES

FiduciaryRequirements (COSO Report)

QualityRequirements

SecurityRequirements

There are two distinct classes of control models current-ly available: those of the “business control model” class(e.g., COSO) and the “more focused control models forIT” (e.g., DTI). COBIT aims to bridge the gap that existsbetween the two. COBIT is therefore positioned to bemore comprehensive for management and to operate at ahigher level than technology standards for informationsystems management. Thus, COBIT is the model for ITgovernance!

The underpinning concept of the COBIT Framework isthat control in IT is approached by looking at informa-tion that is needed to support the business objectives orrequirements, and by looking at information as being theresult of the combined application of IT-relatedresources that need to be managed by IT processes.

To satisfy business objectives, information needs to con-form to certain criteria, which COBIT refers to as busi-ness requirements for information. In establishing thelist of requirements, COBIT combines the principlesembedded in existing and known reference models:

QualityCostDelivery

Effectiveness and Efficiency ofoperations

Reliability of InformationCompliance with laws and regulations

ConfidentialityIntegrityAvailability

Quality has been retained primarily for its negativeaspect (no faults, reliability, etc.), which is also capturedto a large extent by the Integrity criterion. The positivebut less tangible aspects of Quality (style, attractiveness,“look and feel,” performing beyond expectations, etc.)were, for a time, not being considered from an IT con-trol objectives point of view. The premise is that the firstpriority should go to properly managing the risks asopposed to the opportunities. The usability aspect ofQuality is covered by the Effectiveness criterion. TheDelivery aspect of Quality was considered to overlapwith the Availability aspect of the Security requirementsand also to some extent Effectiveness and Efficiency.Finally, Cost is also considered covered by Efficiency.

For the Fiduciary Requirements, COBIT did not attemptto reinvent the wheel—COSO’s definitions for Effectiveness and Efficiency of operations, Reliability ofInformation and Compliance with laws and regulationswere used. However, Reliability of Information wasexpanded to include all information—not just financialinformation.

With respect to the Security Requirements, COBIT iden-tified Confidentiality, Integrity, and Availability as thekey elements—these same three elements, it was found,are used worldwide in describing IT security require-ments.

IT PROCESSES

BUSINESSREQUIREMENTS

IT RESOURCES


Starting the analysis from the broader Quality, Fiduciaryand Security requirements, seven distinct, certainlyoverlapping, categories were extracted. COBIT’s workingdefinitions are as follows:

deals with information being relevantand pertinent to the business processas well as being delivered in a timely,correct, consistent and usable manner.

concerns the provision of informationthrough the optimal (most productiveand economical) use of resources.

concerns the protection of sensitiveinformation from unauthorised disclo-sure.

relates to the accuracy and complete-ness of information as well as to itsvalidity in accordance with businessvalues and expectations.

relates to information being availablewhen required by the business processnow and in the future. It also concernsthe safeguarding of necessaryresources and associated capabilities.

deals with complying with those laws,regulations and contractual arrange-ments to which the business process issubject, i.e., externally imposed busi-ness criteria.

relates to the provision of appropriateinformation for management to oper-ate the entity and for management toexercise its financial and compliancereporting responsibilities.

THE FRAMEWORK’S PRINCIPLES, continued

The IT resources identified in COBIT can beexplained/defined as follows:

are objects in their widest sense (i.e.,external and internal), structured andnon-structured, graphics, sound, etc.

are understood to be the sum of man-ual and programmed procedures.

covers hardware, operating systems,database management systems, net-working, multimedia, etc.

are all the resources to house and sup-port information systems.

include staff skills, awareness andproductivity to plan, organise, acquire,deliver, support and monitor informa-tion systems and services.

Confidentiality

Integrity

Availability

Compliance

Reliability ofInformation

Data

Facilities

People

ApplicationSystems

Technology

Effectiveness

Efficiency

CONTROL OBJECTIVES


In order to ensure that the business requirements forinformation are met, adequate control measures need tobe defined, implemented and monitored over theseresources. How then can organisations satisfy them-

selves that the information they get exhibits the charac-teristics they need? This is where a sound framework ofIT control objectives is required. The next diagram illus-trates this concept.

Information Criteria• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

• people• application systems• technology• facilities• data

IT RESOURCES

INFORMATION

BUSINESSPROCESSESWhat you get What you need

Do they match

Money or capital was not retained as an IT resource forclassification of control objectives because it can beconsidered as being the investment into any of the aboveresources. It should also be noted that the Frameworkdoes not specifically refer to documentation of all mater-ial matters relating to a particular IT process. As a mat-ter of good practice, documentation is considered essen-

tial for good control, and therefore lack of documenta-tion would be cause for further review and analysis forcompensating controls in any specific area under review.

Another way of looking at the relationship of ITresources to the delivery of services is depicted below.

Data

EVENTSBusiness ObjectivesBusiness OpportunitiesExternal RequirementsRegulationsRisks

serviceoutput

messageinput

TECHNOLOGY

FACILITIES

PEOPLE

Application SystemsINFORMATIONEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliability

THE FRAMEWORK’S PRINCIPLES, continued


The COBIT Framework consists of high-level controlobjectives and an overall structure for their classifica-tion. The underlying theory for the classification is thatthere are, in essence, three levels of IT efforts when con-sidering the management of IT resources. Starting at thebottom, there are the activities and tasks needed toachieve a measurable result. Activities have a life-cycleconcept while tasks are more discrete. The life-cycleconcept has typical control requirements different fromdiscrete activities. Processes are then defined one layerup as a series of joined activities or tasks with natural(control) breaks. At the highest level, processes are natu-rally grouped together into domains. Their naturalgrouping is often confirmed as responsibility domains inan organisational structure and is in line with the man-agement cycle or life cycle applicable to IT processes.

Thus, the conceptual framework can be approachedfrom three vantage points: (1) information criteria, (2)IT resources and (3) IT processes. These three vantagepoints are depicted in the COBIT Cube.

With the preceding as the framework, the domains areidentified using wording that management would use inthe day-to-day activities of the organisation—not auditorjargon. Thus, four broad domains are identified: plan-ning and organisation, acquisition and implementation,delivery and support, and monitoring.

Definitions for the four domains identified for the high-level classification are:

This domain covers strategy and tac-tics, and concerns the identification ofthe way IT can best contribute to theachievement of the business objec-tives. Furthermore, the realisation ofthe strategic vision needs to beplanned, communicated and managedfor different perspectives. Finally, aproper organisation as well as techno-logical infrastructure must be put inplace.

To realise the IT strategy, IT solutionsneed to be identified, developed oracquired, as well as implemented andintegrated into the business process.In addition, changes in and mainte-nance of existing systems are coveredby this domain to make sure that thelife cycle is continued for these systems.

This domain is concerned with theactual delivery of required services,which range from traditional opera-tions over security and continuityaspects to training. In order to deliverservices, the necessary supportprocesses must be set up. This domain includes the actual pro-cessing of data by application sys-tems, often classified under applica-tion controls.

Domains

Processes

Activities/Tasks

Peop

leA

pplic

atio

n Sy

stem

s

Tec

hnol

ogy

Fac

ilitie

s

Dat

a

QualityFiduciary

Security

Domains

Processes

ActivitiesIT P

roce

sses

Information Criteria

IT Re

sour

ces

Planning andOrganisation

Acquisition andImplementation

Delivery andSupport

CONTROL OBJECTIVES


All IT processes need to be regularlyassessed over time for their qualityand compliance with control require-ments. This domain thus addressesmanagement’s oversight of the organi-sation’s control process and indepen-dent assurance provided by internaland external audit or obtained fromalternative sources.

It should be noted that these IT processes can be appliedat different levels within an organisation. For example,some of these processes will be applied at the enterpriselevel, others at the IT function level, others at the busi-ness process owner level, etc.

It should also be noted that the Effectiveness criterion ofprocesses that plan or deliver solutions for businessrequirements will sometimes cover the criteria forAvailability, Integrity and Confidentiality—in practice,they have become business requirements. For example,the process of “identify solutions” has to be effective inproviding the Availability, Integrity and Confidentialityrequirements.

It is clear that all control measures will not necessarilysatisfy the different business requirements for informa-tion to the same degree.

• Primary is the degree to which the definedcontrol objective directly impacts theinformation criterion concerned.

• Secondary is the degree to which the definedcontrol objective satisfies only to alesser extent or indirectly the informa-tion criterion concerned.

• Blank could be applicable; however, require-ments are more appropriately satisfiedby another criterion in this processand/or by another process.

Similarly, all control measures will not necessarilyimpact the different IT resources to the same degree.Therefore, the COBIT Framework specifically indicatesthe applicability of the IT resources that are specificallymanaged by the process under consideration (not thosethat merely take part in the process). This classificationis made within the COBIT Framework based on a rigor-ous process of input from researchers, experts andreviewers, using the strict definitions previously indicated.

In summary, in order to provide the information that theorganisation needs to achieve its objectives, IT gover-nance must be exercised by the organisation to ensurethat IT resources are managed by a set of naturallygrouped IT processes. The following diagram illustratesthis concept.

Monitoring

COBIT IT PROCESSES DEFINED WITHINTHE FOUR DOMAINS

PO1 define a strategic IT planPO2 define the information architecturePO3 determine the technological directionPO4 define the IT organisation and relationshipsPO5 manage the IT investment PO6 communicate management aims and directionPO7 manage human resourcesPO8 ensure compliance with external requirementsPO9 assess risksPO10 manage projectsPO11 manage quality

AI1 identify automated solutionsAI2 acquire and maintain application softwareAI3 acquire and maintain technology infrastructure AI4 develop and maintain proceduresAI5 install and accredit systemsAI6 manage changes

DS1 define and manage service levelsDS2 manage third-party servicesDS3 manage performance and capacityDS4 ensure continuous serviceDS5 ensure systems securityDS6 identify and allocate costsDS7 educate and train usersDS8 assist and advise customersDS9 manage the configurationDS10 manage problems and incidentsDS11 manage dataDS12 manage facilitiesDS13 manage operations

M1 monitor the processesM2 assess internal control adequacyM3 obtain independent assuranceM4 provide for independent audit


INFORMATION

ACQUISITION &IMPLEMENTATION

DELIVERY &SUPPORT

MONITORING PLANNING &ORGANISATION

peopleapplication systemstechnologyfacilitiesdata

IT RESOURCES

BUSINESS OBJECTIVES

IT GOVERNANCE


COBIT 3rd Edition is the most recent version of ControlObjectives for Information and related Technology, firstreleased by the Information Systems Audit and ControlFoundation (ISACF) in 1996. The 2nd edition, reflectingan increase in the number of source documents, a revision in the high-level and detailed control objectivesand the addition of the Implementation Tool Set, waspublished in 1998. The 3rd edition marks the entry of anew primary publisher for COBIT: the IT GovernanceInstitute.

The IT Governance Institute was formed by theInformation System Audit and Control Association(ISACA) and its related Foundation in 1998 in order toadvance the understanding and adoption of IT gover-nance principles. Due to the addition of theManagement Guidelines to COBIT 3rd Edition and itsexpanded and enhanced focus on IT governance, the ITGovernance Institute took a leading role in the publica-tion’s development.

COBIT was originally based on ISACF’s ControlObjectives, and has been enhanced with existing andemerging international technical, professional, regulato-ry and industry-specific standards. The resulting controlobjectives have been developed for application to organ-isation-wide information systems. The term “generallyapplicable and accepted” is explicitly used in the samesense as Generally Accepted Accounting Principles(GAAP).

COBIT is relatively small in size and attempts to be bothpragmatic and responsive to business needs while beingindependent of the technical IT platforms adopted in anorganisation.

While not excluding any other accepted standard in theinformation systems control field that may have come tolight during the research, sources identified are:

Technical standards from ISO, EDIFACT, etc.Codes of Conduct issued by the Council of Europe,OECD, ISACA, etc.Qualification criteria for IT systems and processes:ITSEC, TCSEC, ISO 9000, SPICE, TickIT, CommonCriteria, etc.Professional standards for internal control and audit-ing: COSO, IFAC, AICPA, CICA, ISACA, IIA, PCIE,GAO, etc.Industry practices and requirements from industryforums (ESF, I4) and government-sponsored platforms(IBAG, NIST, DTI), etc., andEmerging industry-specific requirements from bank-ing, electronic commerce, and IT manufacturing.

Refer to Appendix II, COBIT Project Description;Appendix III, COBIT Primary Reference Material;and Appendix IV, Glossary of Terms.

COBIT HISTORY AND BACKGROUND

CONTROL OBJECTIVES


– Executive Overview– Case Studies– FAQs– Power Point Presentations– Implementation Guide • Management Awareness Diagnostics • IT Control Diagnostics

IMPLEMENTATION TOOL SET

AUDIT GUIDELINESDETAILED CONTROLOBJECTIVES

MANAGEMENTGUIDELINES

FRAMEWORKwith High-Level Control Objectives

Key PerformanceIndicators

Key GoalIndicators

MaturityModels

Critical Success Factors

Key GoalIndicators

Key PerformanceIndicators

EXECUTIVE SUMMARY

COBIT Family of Products

COBIT PRODUCT EVOLUTIONCOBIT will evolve over the years and be the foundationfor further research. Thus, a family of COBIT productswill be created and, as this occurs, the IT tasks andactivities that serve as the structure to organise controlobjectives will be further refined, and the balancebetween domains and processes reviewed in light of theindustry’s changing landscape.

Research and publication have been made possible bysignificant grants from PricewaterhouseCoopers anddonations from ISACA chapters and members world-wide. The European Security Forum (ESF) kindly maderesearch material available to the project. The GartnerGroup also participated in the development and provid-ed quality assurance review of the ManagementGuidelines.


CONTROL OBJECTIVESSUMMARY TABLE

The following chart provides an indication, by ITprocess and domain, of which information criteria are

impacted by the high-level control objectives, as well asan indication of which IT resources are applicable.

Define a strategic IT plan

Ensure compliance with external requirements

Manage human resources

Communicate management aims and direction

Manage the IT investment

Determine technological direction

Define the IT organisation and relationships

Define the information architecture

Assess risks

Manage projects

Manage quality

Manage changes

Install and accredit systems

Acquire and maintain technology infrastructure

Develop and maintain procedures

Acquire and maintain application software

Identify automated solutions

Manage operations

Manage facilities

Manage data

Manage problems and incidents

Manage the configuration

Assist and advise customers

Educate and train users

Identify and allocate costs

Ensure systems security

Ensure continuous service

Manage performance and capacity

Manage third-party services

Define and manage service levels

Provide for independent audit

Obtain independent assurance

Assess internal control adequacy

Monitor the processes

PROCESS

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

PPPPPPPPPPP

SSSSP

P

SPP

S

P

S

P

P

P

S

PS

S

SS

S

PPPPPPPP

PP

SSSSP

P

SPP

S

P

S

P

P

P

S

PS

S

SS

S

PPPP

PPPP

SSSS

SSSS

SSSS

SPPP

SSSS

PPPP

PPPP

P

PPPS

PSP

P

P

SS

P

SS

P

PPS

SSSPS

SS

PS

SS

S

SS

SP

S

P

PPPPPP

SPPP

P

SSSSP

SP

S

S

S

S

S

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

Information Criteria IT Resources

DOMAIN

Planning &Organisation

Acquisition &Implementation

Delivery &Support

Monitoring

DS1

DS2

DS3

DS4

DS5

DS6

DS7

DS8

DS9

DS10

DS11

DS12

DS13

M1

M2

M3

M4

AI1

AI2

AI3

AI4

AI5

AI6

PO1

PO2

PO3

PO4

PO5

PO6

PO7

PO8

PO9

PO10

PO11

(P) primary (S) secondary (✓ ) applicable to

CONTROL OBJECTIVES


COBIT, as embodied in this latest version of itsControl Objectives, reflects the ongoing commitmentof ISACA to enhance and maintain the commonbody of knowledge required to sustain the informa-tion systems audit and control profession.

The COBIT Framework has been limited to high-levelcontrol objectives in the form of a business needwithin a particular IT process, the achievement ofwhich is enabled by a control statement, for whichconsideration should be given to potentially applica-ble controls.

The control objectives have been organised byprocess/activity, but navigation aids have been pro-vided not only to facilitate entry from any one van-tage point, but also to facilitate combined or globalapproaches, such as installation/implementation of aprocess, global management responsibilities for aprocess and the use of IT resources by a process.

It should also be noted that the control objectiveshave been defined in a generic way; i.e., not depend-ing on the technical platform, while accepting the

fact that some special technology environments mayneed separate coverage for control objectives.Whereas the COBIT Framework focuses on high-level controls for each process, Control Objectivesfocuses on specific, detailed control objectivesassociated with each IT process. For each of the 34IT processes of the Framework, there are from threeto 30 detailed control objectives, for a total of 318.

Control Objectives aligns the overall Framework withdetailed control objectives from 41 primary sourcescomprising the de facto and de jure international stan-dards and regulations relating to IT. It contains state-ments of the desired results or purposes to beachieved by implementing specific control procedureswithin an IT activity and, thereby, provides a clearpolicy and good practice for IT control throughout theindustry, worldwide.

Control Objectives is directed to the managementand staff of the IT, control and audit functions—and,most importantly, to the business process owners.Control Objectives provides a working, desktop doc-ument for these individuals. Precise and clear defini-tions of a minimum set of controls to ensure effec-tiveness, efficiency and economy of resource utilisa-tion are identified. For each process, detailed controlobjectives are identified as the minimum controlsneeded to be in place—those controls that will beassessed for sufficiency by the controls professional.Control Objectives allows the translation of conceptspresented in the Framework into specific controlsapplicable for each IT process.

ControlPractices

consideringControl

Statements

is enabled byBusiness

Requirements

which satisfyIT Processes

The control of

THE CONTROL OBJECTIVES’ PRINCIPLES


To facilitate efficient use of the control objectives in support of thedifferent vantage points, some navigation aids are provided as part ofthe presentation of the high-level control objectives. For each of thethree dimensions along which the COBIT Framework can beapproached—processes, IT resources and information criteria—anavigation aid is provided.

IT domains are identified by this icon in the UPPER RIGHT CORNER ofeach page in the Control Objectives section, with the domain underreview highlighted and enlarged.

The cue to information criteria will be provided in the UPPER LEFT

CORNER in the Control Objectives section by means of this mini-matrix, which will identify which criteria are applicable to each high-level control objective and to which degree (primary or secondary).

A second mini-matrix in the LOWER RIGHT CORNER in the ControlObjectives section identifies the IT resources that are specificallymanaged by the process under consideration—not those that merelytake part in the process. For example, the “manage data” process con-centrates particularly on Integrity and Reliability of the data resource.

InformationCriteria

Three Vantage Points

Navigation Aids

ITDomains

ITResources

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

S PS P


Monitoring

Delivery &Support



Monitoring

Delivery &Support


effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

S PS P

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES NAVIGATION OVERVIEWThe Control Objectives section contains detailed control objectives for each of the 34 IT processes. On the left pageis the high-level control objective. The domain indicator (“PO” for Planning & Organisation, “AI” for Acquisition& Implementation, “DS” for Delivery & Support and “M” for Monitoring) is shown at top left. The applicableinformation criteria and IT resources managed are shown via mini-matrix, as described below. Beginning on theright page, are the descriptions of the detailed control objectives for the IT process.

CONTROL OBJECTIVES


CONTROL OBJECTIVE RELATIONSHIPSDOMAINS, PROCESSES AND CONTROL OBJECTIVES

PLANNING & ORGANISATION

1.0 Define a Strategic IT Plan1.1 IT as Part of the Organisation’s Long- and

Short-Range Plan1.2 IT Long-Range Plan1.3 IT Long-Range Planning—Approach and

Structure1.4 IT Long-Range Plan Changes1.5 Short-Range Planning for the IT Function1.6 Communication of IT Plans1.7 Monitoring and Evaluating of IT Plans1.8 Assessment of Existing Systems

2.0 Define the Information Architecture2.1 Information Architecture Model2.2 Corporate Data Dictionary and Data

Syntax Rules2.3 Data Classification Scheme2.4 Security Levels

3.0 Determine Technological Direction3.1 Technological Infrastructure Planning3.2 Monitor Future Trends and Regulations3.3 Technological Infrastructure Contingency3.4 Hardware and Software Acquisition Plans3.5 Technology Standards

4.0 Define the IT Organisation and Relationships4.1 IT Planning or Steering Committee4.2 Organisational Placement of the IT

Function4.3 Review of Organisational Achievements4.4 Roles and Responsibilities4.5 Responsibility for Quality Assurance4.6 Responsibility for Logical and Physical

Security4.7 Ownership and Custodianship4.8 Data and System Ownership4.9 Supervision4.10 Segregation of Duties4.11 IT Staffing4.12 Job or Position Descriptions for IT Staff4.13 Key IT Personnel

4.14 Contracted Staff Policies and Procedures4.15 Relationships

5.0 Manage the IT Investment5.1 Annual IT Operating Budget5.2 Cost and Benefit Monitoring5.3 Cost and Benefit Justification

6.0 Communicate Management Aims andDirection6.1 Positive Information Control Environment6.2 Management’s Responsibility for Policies6.3 Communication of Organisation Policies6.4 Policy Implementation Resources6.5 Maintenance of Policies6.6 Compliance with Policies, Procedures and

Standards6.7 Quality Commitment6.8 Security and Internal Control Framework

Policy6.9 Intellectual Property Rights6.10 Issue-Specific Policies6.11 Communication of IT Security Awareness

7.0 Manage Human Resources7.1 Personnel Recruitment and Promotion7.2 Personnel Qualifications7.3 Roles and Responsibilities7.4 Personnel Training7.5 Cross-Training or Staff Back-up7.6 Personnel Clearance Procedures7.7 Employee Job Performance Evaluation7.8 Job Change and Termination

8.0 Ensure Compliance with ExternalRequirements8.1 External Requirements Review8.2 Practices and Procedures for Complying

with External Requirements8.3 Safety and Ergonomic Compliance8.4 Privacy, Intellectual Property and Data Flow8.5 Electronic Commerce8.6 Compliance with Insurance Contracts


PLANNING & ORGANISATION continued9.0 Assess Risks

9.1 Business Risk Assessment9.2 Risk Assessment Approach9.3 Risk Identification9.4 Risk Measurement9.5 Risk Action Plan9.6 Risk Acceptance9.7 Safeguard Selection9.8 Risk Assessment Commitment

10.0 Manage Projects10.1 Project Management Framework10.2 User Department Participation in Project

Initiation10.3 Project Team Membership and

Responsibilities10.4 Project Definition10.5 Project Approval10.6 Project Phase Approval10.7 Project Master Plan10.8 System Quality Assurance Plan10.9 Planning of Assurance Methods10.10 Formal Project Risk Management10.11 Test Plan10.12 Training Plan10.13 Post-Implementation Review Plan

11.0 Manage Quality11.1 General Quality Plan11.2 Quality Assurance Approach11.3 Quality Assurance Planning11.4 Quality Assurance Review of Adherence

to IT Standards and Procedures11.5 System Development Life Cycle

Methodology11.6 System Development Life Cycle

Methodology for Major Changes toExisting Technology

11.7 Updating of the System Development LifeCycle Methodology

11.8 Coordination and Communication11.9 Acquisition and Maintenance Framework

for the Technology Infrastructure

DOMAINS, PROCESSES AND CONTROL OBJECTIVES11.10 Third-Party Implementor Relationships11.11 Programme Documentation Standards11.12 Programme Testing Standards11.13 System Testing Standards11.14 Parallel/Pilot Testing11.15 System Testing Documentation11.16 Quality Assurance Evaluation of

Adherence to Development Standards11.17 Quality Assurance Review of the

Achievement of IT Objectives11.18 Quality Metrics11.19 Reports of Quality Assurance Reviews

ACQUISITION & IMPLEMENTATION

1.0 Identify Automated Solutions1.1 Definition of Information Requirements1.2 Formulation of Alternative Courses of

Action1.3 Formulation of Acquisition Strategy1.4 Third-Party Service Requirements1.5 Technological Feasibility Study1.6 Economic Feasibility Study1.7 Information Architecture1.8 Risk Analysis Report1.9 Cost-Effective Security Controls1.10 Audit Trails Design1.11 Ergonomics1.12 Selection of System Software1.13 Procurement Control1.14 Software Product Acquisition1.15 Third-Party Software Maintenance1.16 Contract Application Programming1.17 Acceptance of Facilities1.18 Acceptance of Technology

2.0 Acquire and Maintain Application Software2.1 Design Methods2.2 Major Changes to Existing Systems2.3 Design Approval2.4 File Requirements Definition and

Documentation2.5 Programme Specifications2.6 Source Data Collection Design

CONTROL OBJECTIVES


DOMAINS, PROCESSES AND CONTROL OBJECTIVES2.7 Input Requirements Definition and

Documentation2.8 Definition of Interfaces2.9 User-Machine Interface2.10 Processing Requirements Definition and

Documentation2.11 Output Requirements Definition and

Documentation2.12 Controllability2.13 Availability as a Key Design Factor2.14 IT Integrity Provisions in Application

Programme Software2.15 Application Software Testing2.16 User Reference and Support Materials2.17 Reassessment of System Design

3.0 Acquire and Maintain TechnologyInfrastructure3.1 Assessment of New Hardware and

Software3.2 Preventative Maintenance for Hardware3.3 System Software Security3.4 System Software Installation3.5 System Software Maintenance3.6 System Software Change Controls3.7 Use and Monitoring of System Utilities

4.0 Develop and Maintain Procedures4.1 Operational Requirements and

Service Levels4.2 User Procedures Manual4.3 Operations Manual4.4 Training Materials

5.0 Install and Accredit Systems5.1 Training5.2 Application Software Performance Sizing5.3 Implementation Plan5.4 System Conversion5.5 Data Conversion5.6 Testing Strategies and Plans5.7 Testing of Changes5.8 Parallel/Pilot Testing Criteria and

Performance5.9 Final Acceptance Test5.10 Security Testing and Accreditation

5.11 Operational Test5.12 Promotion to Production5.13 Evaluation of Meeting User Requirements5.14 Management’s Post-Implementation

Review6.0 Manage Changes

6.1 Change Request Initiation and Control6.2 Impact Assessment6.3 Control of Changes6.4 Emergency Changes6.5 Documentation and Procedures6.6 Authorised Maintenance6.7 Software Release Policy6.8 Distribution of Software

DELIVERY & SUPPORT

1.0 Define and Manage Service Levels1.1 Service Level Agreement Framework1.2 Aspects of Service Level Agreements1.3 Performance Procedures1.4 Monitoring and Reporting1.5 Review of Service Level Agreements and

Contracts1.6 Chargeable Items1.7 Service Improvement Programme

2.0 Manage Third-Party Services2.1 Supplier Interfaces2.2 Owner Relationships2.3 Third-Party Contracts2.4 Third-Party Qualifications2.5 Outsourcing Contracts2.6 Continuity of Services2.7 Security Relationships2.8 Monitoring

3.0 Manage Performance and Capacity3.1 Availability and Performance

Requirements3.2 Availability Plan3.3 Monitoring and Reporting3.4 Modeling Tools3.5 Proactive Performance Management3.6 Workload Forecasting3.7 Capacity Management of Resources


DELIVERY & SUPPORT continued3.8 Resources Availability3.9 Resources Schedule

4.0 Ensure Continuous Service4.1 IT Continuity Framework4.2 IT Continuity Plan Strategy and

Philosophy4.3 IT Continuity Plan Contents4.4 Minimising IT Continuity Requirements4.5 Maintaining the IT Continuity Plan4.6 Testing the IT Continuity Plan4.7 IT Continuity Plan Training4.8 IT Continuity Plan Distribution4.9 User Department Alternative Processing

Back-up Procedures4.10 Critical IT Resources4.11 Back-up Site and Hardware4.12 Off-site Back-up Storage4.13 Wrap-up Procedures

5.0 Ensure Systems Security5.1 Manage Security Measures5.2 Identification, Authentication and Access5.3 Security of Online Access to Data5.4 User Account Management5.5 Management Review of User Accounts5.6 User Control of User Accounts5.7 Security Surveillance5.8 Data Classification5.9 Central Identification and Access Rights

Management5.10 Violation and Security Activity Reports5.11 Incident Handling5.12 Reaccreditation5.13 Counterparty Trust5.14 Transaction Authorisation5.15 Non-Repudiation5.16 Trusted Path5.17 Protection of Security Functions5.18 Cryptographic Key Management5.19 Malicious Software Prevention, Detection

and Correction5.20 Firewall Architectures and Connections

with Public Networks

DOMAINS, PROCESSES AND CONTROL OBJECTIVES5.21 Protection of Electronic Value

6.0 Identify and Allocate Costs6.1 Chargeable Items6.2 Costing Procedures6.3 User Billing and Chargeback Procedures

7.0 Educate and Train Users7.1 Identification of Training Needs7.2 Training Organisation7.3 Security Principles and Awareness Training

8.0 Assist and Advise Customers8.1 Help Desk8.2 Registration of Customer Queries8.3 Customer Query Escalation8.4 Monitoring of Clearance8.5 Trend Analysis and Reporting

9.0 Manage the Configuration9.1 Configuration Recording9.2 Configuration Baseline9.3 Status Accounting9.4 Configuration Control9.5 Unauthorised Software9.6 Software Storage9.7 Configuration Management Procedures9.8 Software Accountability

10.0 Manage Problems and Incidents10.1 Problem Management System10.2 Problem Escalation10.3 Problem Tracking and Audit Trail10.4 Emergency and Temporary Access

Authorisations10.5 Emergency Processing Priorities

11.0 Manage Data11.1 Data Preparation Procedures11.2 Source Document Authorisation

Procedures11.3 Source Document Data Collection11.4 Source Document Error Handling11.5 Source Document Retention11.6 Data Input Authorisation Procedures11.7 Accuracy, Completeness and

Authorisation Checks11.8 Data Input Error Handling11.9 Data Processing Integrity

CONTROL OBJECTIVES


11.10 Data Processing Validation and Editing11.11 Data Processing Error Handling11.12 Output Handling and Retention11.13 Output Distribution11.14 Output Balancing and Reconciliation11.15 Output Review and Error Handling11.16 Security Provision for Output Reports11.17 Protection of Sensitive Information

During Transmission and Transport11.18 Protection of Disposed Sensitive Information11.19 Storage Management11.20 Retention Periods and Storage Terms11.21 Media Library Management System11.22 Media Library Management

Responsibilities11.23 Back-up and Restoration11.24 Back-up Jobs11.25 Back-up Storage11.26 Archiving11.27 Protection of Sensitive Messages11.28 Authentication and Integrity11.29 Electronic Transaction Integrity11.30 Continued Integrity of Stored Data

12.0 Manage Facilities12.1 Physical Security12.2 Low Profile of the IT Site12.3 Visitor Escort12.4 Personnel Health and Safety12.5 Protection Against Environmental Factors12.6 Uninterruptible Power Supply

13.0 Manage Operations13.1 Processing Operations Procedures and

Instructions Manual13.2 Start-up Process and Other Operations

Documentation13.3 Job Scheduling13.4 Departures from Standard Job Schedules13.5 Processing Continuity13.6 Operations Logs13.7 Safeguard Special Forms and Output Devices13.8 Remote Operations

MONITORING

1.0 Monitor the Processes1.1 Collecting Monitoring Data1.2 Assessing Performance1.3 Assessing Customer Satisfaction1.4 Management Reporting

2.0 Assess Internal Control Adequacy2.1 Internal Control Monitoring2.2 Timely Operation of Internal Controls2.3 Internal Control Level Reporting2.4 Operational Security and Internal Control

Assurance3.0 Obtain Independent Assurance

3.1 Independent Security and Internal ControlCertification/Accreditation of IT Services

3.2 Independent Security and Internal ControlCertification/Accreditation of Third-PartyService Providers

3.3 Independent Effectiveness Evaluation ofIT Services

3.4 Independent Effectiveness Evaluation ofThird-Party Service Providers

3.5 Independent Assurance of Compliancewith Laws and Regulatory Requirementsand Contractual Commitments

3.6 Independent Assurance of Compliancewith Laws and Regulatory Requirementsand Contractual Commitments by Third-Party Service Providers

3.7 Competence of Independent AssuranceFunction

3.8 Proactive Audit Involvement4.0 Provide for Independent Audit

4.1 Audit Charter4.2 Independence4.3 Professional Ethics and Standards4.4 Competence4.5 Planning4.6 Performance of Audit Work4.7 Reporting4.8 Follow-up Activities

DOMAINS, PROCESSES AND CONTROL OBJECTIVES


This page intentionally left blank

CONTROL OBJECTIVES


CONTROL OBJECTIVES

CONTROL OBJECTIVES


P L A N N I N G & O R G A N I S A T I O N

PO


Control over the IT process of

defining a strategic IT plan

that satisfies the business requirement

to strike an optimum balance of information technology opportunitiesand IT business requirements as well as ensuring its furtheraccomplishment

is enabled by

a strategic planning process undertaken at regular intervals giving riseto long-term plans; the long-term plans should periodically betranslated into operational plans setting clear and concrete short-termgoals

and takes into consideration

• enterprise business strategy• definition of how IT supports the business objectives• inventory of technological solutions and current infrastructure• monitoring the technology markets• timely feasibility studies and reality checks• existing systems assessments• enterprise position on risk, time-to-market, quality• need for senior management buy-in, support and

critical review

HIGH-LEVEL CONTROL OBJECTIVE

Planning & OrganisationDefine a Strategic Information Technology PlanPO1

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

SP

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

Monitoring

Delivery &Support

Acquisition & Implementation


CONTROL OBJECTIVES


PO11 DEFINE A STRATEGIC INFORMATION

TECHNOLOGY PLAN

1.1 IT as Part of the Organisation’s Long- andShort-Range PlanCONTROL OBJECTIVE

Senior management is responsible for developingand implementing long- and short-range plansthat fulfill the organisation’s mission and goals.In this respect, senior management should ensurethat IT issues as well as opportunities are ade-quately assessed and reflected in the organisa-tion’s long- and short-range plans. IT long- andshort-range plans should be developed to helpensure that the use of IT is aligned with the mission and business strategies of the organisation.

1.2 IT Long-Range PlanCONTROL OBJECTIVE

IT management and business process owners areresponsible for regularly developing IT long-range plans supporting the achievement of theorganisation’s overall missions and goals. Theplanning approach should include mechanisms tosolicit input from relevant internal and externalstakeholders impacted by the IT strategic plans.Accordingly, management should implement along-range planning process, adopt a structuredapproach and set up a standard plan structure.

1.3 IT Long-Range Planning — Approach and StructureCONTROL OBJECTIVE

IT management and business process ownersshould establish and apply a structured approachregarding the long-range planning process. Thisshould result in a high-quality plan which coversthe basic questions of what, who, how, when andwhy. The IT planning process should take intoaccount risk assessment results, including busi-ness, environmental, technology and humanresources risks. Aspects which need to be takeninto account and adequately addressed during the

planning process include the organisationalmodel and changes to it, geographical distribu-tion, technological evolution, costs, legal andregulatory requirements, requirements of thirdparties or the market, planning horizon, businessprocess re-engineering, staffing, in- or out-sourc-ing, data, application systems and technologyarchitectures. Benefits of the choices madeshould be clearly identified. The IT long- andshort-range plans should incorporate perfor-mance indicators and targets. The plan itselfshould also refer to other plans such as theorganisation quality plan and the information riskmanagement plan.

1.4 IT Long-Range Plan ChangesCONTROL OBJECTIVE

IT management and business process ownersshould ensure a process is in place to modify theIT long-range plan in a timely and accurate man-ner to accommodate changes to the organisa-tion’s long-range plan and changes in IT condi-tions. Management should establish a policyrequiring that IT long- and short-range plans aredeveloped and maintained.

1.5 Short-Range Planning for the IT FunctionCONTROL OBJECTIVE

IT management and business process ownersshould ensure that the IT long-range plan is regu-larly translated into IT short-range plans. Suchshort-range plans should ensure that appropriateIT function resources are allocated on a basisconsistent with the IT long-range plan. Theshort-range plans should be reassessed periodi-cally and amended as necessary in response tochanging business and IT conditions. The timelyperformance of feasibility studies should ensurethat the execution of the short-range plans is ade-quately initiated.

continued on next page

DETAILED CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES continued

1.6 Communication of IT Plans CONTROL OBJECTIVE

Management should ensure that IT long- andshort-range plans are communicated to businessprocess owners and other relevant parties acrossthe organisation.

1.7 Monitoring and Evaluating of IT PlansCONTROL OBJECTIVE

Management should establish processes to cap-ture and report feedback from business processowners and users regarding the quality and use-fulness of long- and short-range plans. The feed-back obtained should be evaluated and consid-ered in future IT planning.

1.8 Assessment of Existing SystemsCONTROL OBJECTIVE

Prior to developing or changing the strategic, orlong-range, IT plan, IT management shouldassess the existing information systems in termsof degree of business automation, functionality,stability, complexity, costs, strengths and weak-nesses in order to determine the degree to whichthe existing systems support the organisation’sbusiness requirements.

Planning & OrganisationDefine a Strategic Information Technology PlanPO1

CONTROL OBJECTIVES





Planning & OrganisationDefine the Information ArchitecturePO2


defining the information architecture


of optimising the organisation of the information systems

is enabled by

creating and maintaining a business information model and ensuringappropriate systems are defined to optimise the use of this information


• automated data repository and dictionary• data syntax rules • data ownership and criticality/security classification• an information model representing the business• enterprise information architectural standards

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

SP S S

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


2 DEFINE THE INFORMATIONARCHITECTURE

2.1 Information Architecture ModelCONTROL OBJECTIVE

Information should be kept consistent with needsand should be identified, captured and communi-cated in a form and timeframe that enables peopleto carry out their responsibilities effectively andon a timely basis. Accordingly, the IT functionshould create and regularly update an informa-tion architecture model, encompassing the corpo-rate data model and the associated informationsystems. The information architecture modelshould be kept consistent with the IT long-rangeplan.

2.2 Corporate Data Dictionary and Data Syntax RulesCONTROL OBJECTIVE

The IT function should ensure the creation andcontinuous updating of a corporate data dictio-nary which incorporates the organisation’s datasyntax rules.

2.3 Data Classification SchemeCONTROL OBJECTIVE

A general classification framework should beestablished with regard to placement of data ininformation classes (i.e., security categories) aswell as allocation of ownership. The access rulesfor the classes should be appropriately defined.

2.4 Security LevelsCONTROL OBJECTIVE

Management should define, implement andmaintain security levels for each of the data clas-sifications identified above the level of “no pro-tection required.” These security levels shouldrepresent the appropriate (minimum) set of secu-rity and control measures for each of the classifi-cations and should be re-evaluated periodicallyand modified accordingly. Criteria for supportingdifferent levels of security in the extended enter-prise should be established to address the needsof evolving e-commerce, mobile computing andtelecommuting environments.

PO2DETAILED CONTROL OBJECTIVES



Planning & OrganisationDetermine Technological DirectionPO3


determining technological direction


to take advantage of available and emerging technology to drive andmake possible the business strategy

is enabled by

creation and maintenance of a technological infrastructure plan that sets andmanages clear and realistic expectations of what technology can offer in termsof products, services and delivery mechanisms


• capability of current infrastructure• monitoring technology developments via reliable sources • conducting proof-of-concepts• risk, constraints and opportunities• acquisition plans• migration strategy and roadmaps• vendor relationships• independent technology reassessment• hardware and software price/performance changes

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

SP

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


3 DETERMINE TECHNOLOGICALDIRECTION

3.1 Technological Infrastructure PlanningCONTROL OBJECTIVE

The IT function should create and regularlyupdate a technological infrastructure plan whichis in accordance with the IT long- and short-range plans. Such a plan should encompassaspects such as systems architecture, technologi-cal direction and migration strategies.

3.2 Monitor Future Trends and RegulationsCONTROL OBJECTIVE

Continuous monitoring of future trends and regulatory conditions should be ensured by theIT function so that these factors can be taken intoconsideration during the development and main-tenance of the technological infrastructure plan.

3.3 Technological Infrastructure ContingencyCONTROL OBJECTIVE

The technological infrastructure plan should beassessed systematically for contingency aspects(i.e., redundancy, resilience, adequacy and evolu-tionary capability of the infrastructure).

3.4 Hardware and Software Acquisition PlansCONTROL OBJECTIVE

IT management should ensure that hardware andsoftware acquisition plans are established andreflect the needs identified in the technologicalinfrastructure plan.

3.5 Technology StandardsCONTROL OBJECTIVE

Based on the technological infrastructure plan,IT management should define technology normsin order to foster standardisation.

PO3DETAILED CONTROL OBJECTIVES



Planning & OrganisationDefine the Information Technology Organisation and RelationshipsPO4


defining the IT organisation and relationships


to deliver the right IT services

is enabled by

an organisation suitable in numbers and skills with roles andresponsibilities defined and communicated, aligned with the businessand that facilitates the strategy and provides for effective direction andadequate control


• board level responsibility for IT• management’s direction and supervision of IT• IT’s alignment with the business• IT’s involvement in key decision processes• organisational flexibility• clear roles and responsibilities• balance between supervision and empowerment• job descriptions• staffing levels and key personnel• organisational positioning of security,

quality and internal control functions• segregation of duties

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

SP

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES4 DEFINE THE INFORMATION TECHNOLOGY

ORGANISATION AND RELATIONSHIPS

4.1 IT Planning or Steering CommitteeCONTROL OBJECTIVE

The organisation’s senior management shouldappoint a planning or steering committee to over-see the IT function and its activities. Committeemembership should include representatives fromsenior management, user management and the ITfunction. The committee should meet regularlyand report to senior management.

4.2 Organisational Placement of the IT FunctionCONTROL OBJECTIVE

In placing the IT function in the overall organisa-tion structure, senior management should ensureauthority, critical mass and independence fromuser departments to the degree necessary to guar-antee effective IT solutions and sufficientprogress in implementing them, and to establisha partnership relation with top management tohelp increase awareness, understanding and skillin identifying and resolving IT issues.

4.3 Review of Organisational AchievementsCONTROL OBJECTIVE

A framework should be in place for reviewingthe organisational structure to continuously meetobjectives and changing circumstances.

4.4 Roles and ResponsibilitiesCONTROL OBJECTIVE

Management should ensure that all personnel inthe organisation have and know their roles andresponsibilities in relation to information sys-tems. All personnel should have sufficientauthority to exercise the role and responsibilityassigned to them. Roles should be designed withconsideration to appropriate segregation ofduties. No one individual should control all keyaspects of a transaction or event. Everyoneshould be made aware that they have somedegree of responsibility for internal control and

security. Consequently, regular campaignsshould be organised and undertaken to increaseawareness and discipline.

4.5 Responsibility for Quality AssuranceCONTROL OBJECTIVE

Management should assign the responsibility forthe performance of the quality assurance functionto staff members of the IT function and ensurethat appropriate quality assurance, systems, controls and communications expertise exist inthe IT function’s quality assurance group. Theorganisational placement within the IT functionand the responsibilities and the size of the qualityassurance group should satisfy the requirementsof the organisation.

4.6 Responsibility for Logical and PhysicalSecurityCONTROL OBJECTIVE

Management should formally assign the respon-sibility for assuring both the logical and physicalsecurity of the organisation’s information assetsto an information security manager, reporting tothe organisation’s senior management. At a mini-mum, security management responsibility shouldbe established at the organisation-wide level todeal with overall security issues in an organisa-tion. If needed, additional security managementresponsibilities should be assigned at a system-specific level to cope with the related securityissues.

4.7 Ownership and CustodianshipCONTROL OBJECTIVE

Management should create a structure for for-mally appointing the data owners and custodians.Their roles and responsibilities should be clearlydefined.

PO4



Planning & OrganisationDefine the Information Technology Organisation and RelationshipsPO4

4.8 Data and System OwnershipCONTROL OBJECTIVE

Management should ensure that all informationassets (data and systems) have an appointedowner who makes decisions about classificationand access rights. System owners typically dele-gate day-to-day custodianship to the systemsdelivery/operations group and delegate securityresponsibilities to a security administrator.Owners, however, remain accountable for themaintenance of appropriate security measures.

4.9 SupervisionCONTROL OBJECTIVE

Senior management should implement adequatesupervisory practices in the IT function to ensure that roles and responsibilities are properlyexercised, to assess whether all personnel havesufficient authority and resources to execute theirroles and responsibilities, and to generallyreview key performance indicators.

4.10 Segregation of DutiesCONTROL OBJECTIVE

Senior management should implement a divisionof roles and responsibilities which shouldexclude the possibility for a single individual tosubvert a critical process. Management shouldalso make sure that personnel are performingonly those duties stipulated for their respectivejobs and positions. In particular, a segregation ofduties should be maintained between the follow-ing functions:• information systems use• data entry• computer operation• network management• system administration• systems development and maintenance• change management• security administration• security audit

4.11 IT StaffingCONTROL OBJECTIVE

Staffing requirements evaluations should be performed regularly to ensure the IT function hasa sufficient number of competent IT staff.Staffing requirements should be evaluated at leastannually or upon major changes to the business,operational or IT environment. Evaluation resultsshould be acted upon promptly to ensure adequate staffing now and in the future.

4.12 Job or Position Descriptions for IT StaffCONTROL OBJECTIVE

Management should ensure that position descrip-tions for IT staff are established and updated reg-ularly. These position descriptions should clearlydelineate both authority and responsibility,include definitions of skills and experience need-ed in the relevant position, and be suitable for usein performance evaluation.

4.13 Key IT PersonnelCONTROL OBJECTIVE

IT management should define and identify keyIT personnel.

4.14 Contracted Staff Policies and ProceduresCONTROL OBJECTIVE

Management should define and implement relevant policies and procedures for controllingthe activities of consultants and other contractpersonnel by the IT function to assure the protection of the organisation’s informationassets.

4.15 RelationshipsCONTROL OBJECTIVE

IT management should undertake the necessaryactions to establish and maintain an optimalcoordination, communication and liaison struc-ture between the IT function and various otherinterests inside and outside the IT function (i.e.,users, suppliers, security officers, risk managers).


CONTROL OBJECTIVES





Planning & OrganisationManage the Information Technology InvestmentPO5


managing the IT investment


to ensure funding and to control disbursement of financial resources

is enabled by

a periodic investment and operational budget established and approvedby the business


• funding alternatives• clear budget ownership • control of actual spending• cost justification and awareness of total cost of ownership• benefit justification and accountability for benefit fulfillment• technology and application software life cycles• alignment with enterprise business strategy• impact assessment• asset management

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PP S

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES5 MANAGE THE INFORMATION

TECHNOLOGY INVESTMENT

5.1 Annual IT Operating BudgetCONTROL OBJECTIVE

Senior management should implement a budget-ing process to ensure that an annual IT operatingbudget is established and approved in line withthe organisation’s long- and short-range plans aswell as with the IT long- and short-range plans.Funding alternatives should be investigated.

5.2 Cost and Benefit MonitoringCONTROL OBJECTIVE

Management should establish a cost monitoringprocess comparing actuals to budgets. Moreover,the possible benefits derived from the IT activi-ties should be determined and reported. For costmonitoring, the source of the actual figuresshould be based upon the organisation’s account-ing system and that system should routinelyrecord, process and report the costs associatedwith the activities of the IT function. For benefitmonitoring, high-level performance indicatorsshould be defined, regularly reported andreviewed for adequacy.

5.3 Cost and Benefit JustificationCONTROL OBJECTIVE

A management control should be in place toguarantee that the delivery of services by the ITfunction is cost justified and in line with theindustry. The benefits derived from IT activitiesshould similarly be analysed.

PO5



Planning & OrganisationCommunicate Management Aims and DirectionPO6


communicating management aims and direction


to ensure user awareness and understanding of those aims

is enabled by

policies established and communicated to the user community;furthermore, standards need to be established to translate the strategic options into practical and usable user rules


• clearly articulated mission• technology directives linked to business aims• code of conduct/ethics• quality commitment• security and internal control policies• security and internal control practices• lead-by-example• continuous communications programme• providing guidance and checking compliance

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P S

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES6 COMMUNICATE MANAGEMENT AIMS AND

DIRECTION

6.1 Positive Information Control EnvironmentCONTROL OBJECTIVE

In order to provide guidance for proper behav-iour, remove temptation for unethical behaviourand provide discipline, where appropriate, man-agement should create a framework and anawareness programme fostering a positive con-trol environment throughout the entire organisa-tion. This should address the integrity, ethicalvalues and competence of the people, manage-ment philosophy, operating style and account-ability. Specific attention is to be given to ITaspects, including security and business continu-ity planning.

6.2 Management’s Responsibility for PoliciesCONTROL OBJECTIVE

Management should assume full responsibilityfor formulating, developing, documenting, pro-mulgating and controlling policies covering gen-eral aims and directives. Regular reviews of poli-cies for appropriateness should be carried out.The complexity of the written policies and proce-dures should always be commensurate with theorganisation size and management style.

6.3 Communication of Organisation PoliciesCONTROL OBJECTIVE

Management should ensure that organisationalpolicies are clearly communicated, understoodand accepted by all levels in the organisation.The communication process should be supportedby an effective plan that uses a diversified set ofcommunication means.

6.4 Policy Implementation ResourcesCONTROL OBJECTIVE

Management should plan for appropriateresources for policy implementation and forensuring compliance, so that they are built intoand are an integral part of operations.

Management should also monitor the timelinessof the policy implementation.

6.5 Maintenance of PoliciesCONTROL OBJECTIVE

Policies should be adjusted regularly to accom-modate changing conditions. Policies should bere-evaluated, at least annually or upon significantchanges to the operating or business environ-ment, to assess their adequacy and appropriate-ness, and amended as necessary. Managementshould provide a framework and process for theperiodic review and approval of standards, poli-cies, directives and procedures.

6.6 Compliance with Policies, Proceduresand StandardsCONTROL OBJECTIVE

Management should ensure that appropriate pro-cedures are in place to determine whether per-sonnel understand the implemented policies andprocedures, and that the polices and proceduresare being followed. Compliance procedures forethical, security and internal control standardsshould be set by top management and promotedby example.

6.7 Quality CommitmentCONTROL OBJECTIVE

IT management should define, document andmaintain a quality philosophy, policies andobjectives which are consistent with the corpo-rate philosophies and policies in this regard. Thequality philosophy, policies and objectivesshould be understood, implemented and main-tained at all levels of the IT function.

PO6



Planning & OrganisationCommunicate Management Aims and DirectionPO6

6.8 Security and Internal Control FrameworkPolicyCONTROL OBJECTIVE

Management should assume full responsibilityfor developing and maintaining a framework pol-icy which establishes the organisation’s overallapproach to security and internal control toestablish and improve the protection of ITresources and integrity of IT systems. The policyshould comply with overall business objectivesand be aimed at minimisation of risks throughpreventive measures, timely identification ofirregularities, limitation of losses and timelyrestoration. Measures should be based oncost/benefit analyses and should be prioritised. Inaddition, management should ensure that thishigh-level security and internal control policyspecifies the purpose and objectives, the manage-ment structure, the scope within the organisation,the definition and assignment of responsibilitiesfor implementation at all levels, and the defini-tion of penalties and disciplinary actions associ-ated with failing to comply with security andinternal control policies. Criteria for periodic re-evaluation of the framework should be defined tosupport responsiveness to changing organisation-al, environmental and technical requirements.

6.9 Intellectual Property RightsCONTROL OBJECTIVE

Management should provide and implement awritten policy on intellectual property rights covering in-house as well as contract-developedsoftware.

6.10 Issue-Specific PoliciesCONTROL OBJECTIVE

Measures should be put in place to ensure thatissue-specific policies are established to document management decisions in addressingparticular activities, applications, systems ortechnologies.

6.11 Communication of IT Security AwarenessCONTROL OBJECTIVE

An IT security awareness programme shouldcommunicate the IT security policy to each ITuser and assure a complete understanding of theimportance of IT security. It should convey themessage that IT security is to the benefit of theorganisation, all its employees, and that every-body is responsible for it. The IT security awareness programme should be supported by,and represent, the view of management.


CONTROL OBJECTIVES





Planning & OrganisationManage Human ResourcesPO7


managing human resources


to acquire and maintain a motivated and competent workforce andmaximise personnel contributions to the IT processes

is enabled by

sound, fair and transparent personnel management practices to recruit,line, vet, compensate, train, appraise, promote and dismiss


• recruitment and promotion• training and qualification requirements• awareness building• cross-training and job rotation• hiring, vetting and dismissal procedures• objective and measurable performance evaluation• responsiveness to technical and market changes• properly balancing internal and external resources• succession plan for key positions

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PP

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES7 MANAGE HUMAN RESOURCES

7.1 Personnel Recruitment and PromotionCONTROL OBJECTIVE

Management should implement and regularlyassess the needed processes to ensure that per-sonnel recruiting and promotion practices arebased on objective criteria and consider educa-tion, experience and responsibility. Theseprocesses should be in line with the overallorganisation’s policies and procedures in thisregard, such as hiring, orienting, training, evalu-ating, counselling, promoting, compensating anddisciplining. Management should ensure thatknowledge and skill needs are continuallyassessed and that the organisation is able toobtain a workforce that has the skills whichmatch those necessary to achieve organisationalgoals.

7.2 Personnel QualificationsCONTROL OBJECTIVE

IT management should regularly verify that personnel performing specific tasks are qualifiedon the basis of appropriate education, trainingand/or experience, as required. Managementshould encourage personnel to obtain member-ship in professional organisations.

7.3 Roles and ResponsibilitiesCONTROL OBJECTIVE

Management should clearly define roles andresponsibilities for personnel, including therequirement to adhere to management policiesand procedures, the code of ethics and profes-sional practices. The terms and conditions ofemployment should stress the employee’sresponsibility for information security andinternal control.

7.4 Personnel TrainingCONTROL OBJECTIVE

Management should ensure that employees areprovided with orientation upon hiring and withon-going training to maintain their knowledge,skills, abilities and security awareness to thelevel required to perform effectively. Educationand training programmes conducted to effective-ly raise the technical and management skill lev-els of personnel should be reviewed regularly.

7.5 Cross-Training or Staff Back-upCONTROL OBJECTIVE

Management should provide for sufficient cross-training or back-up of identified key personnel toaddress unavailabilities. Management shouldestablish succession plans for all key functionsand positions. Personnel in sensitive positionsshould be required to take uninterrupted holidaysof sufficient length to exercise the organisation’sability to cope with unavailabilities and to pre-vent and detect fraudulent activity.

7.6 Personnel Clearance ProceduresCONTROL OBJECTIVE

IT management should ensure that their personnel are subjected to security clearancebefore they are hired, transferred or promoted,depending on the sensitivity of the position. Anemployee who was not subjected to such a clearance when first hired, should not be placedin a sensitive position until a security clearancehas been obtained.

PO7




7.7 Employee Job Performance EvaluationCONTROL OBJECTIVE

Management should implement an employeeperformance evaluation process, reinforced by aneffective reward system, that is designed to helpemployees understand the connection betweentheir performance and the organisation’s success.Evaluation should be performed against estab-lished standards and specific job responsibilitieson a regular basis. Employees should receivecounselling on performance or conduct wheneverappropriate.

7.8 Job Change and TerminationCONTROL OBJECTIVE

Management should ensure that appropriate andtimely actions are taken regarding job changesand job terminations so that internal controls andsecurity are not impaired by such occurrences.

Planning & OrganisationManage Human ResourcesPO7

CONTROL OBJECTIVES





Planning & OrganisationEnsure Compliance with External RequirementsPO8


ensuring compliance with external requirements


to meet legal, regulatory and contractual obligations

is enabled by

identifying and analysing external requirements for their IT impact,and taking appropriate measures to comply with them


• laws, regulations and contracts• monitoring legal and regulatory developments• regular monitoring for compliance• safety and ergonomics• privacy• intellectual property

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P S

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES8 ENSURE COMPLIANCE WITH EXTERNAL

REQUIREMENTS

8.1 External Requirements ReviewCONTROL OBJECTIVE

The organisation should establish and maintainprocedures for external requirements review andfor the coordination of these activities. Continuousresearch should determine the applicable externalrequirements for the organisation. Legal, govern-ment or other external requirements related to ITpractices and controls should be reviewed.Management should also assess the impact ofany external relationships on the organisation’soverall information needs, including determina-tion of the extent to which IT strategies need toconform with or support the requirements of anyrelated third-parties.

8.2 Practices and Procedures for Complying withExternal RequirementsCONTROL OBJECTIVE

Organisational practices should ensure thatappropriate corrective actions are taken on atimely basis to guarantee compliance with externalrequirements. In addition, adequate proceduresassuring continuous compliance should be established and maintained. In this regard, management should seek legal advice if required.

8.3 Safety and Ergonomic ComplianceCONTROL OBJECTIVE

Management should ensure compliance withsafety and ergonomic standards in the workingenvironment of IT users and personnel.

8.4 Privacy, Intellectual Property and Data FlowCONTROL OBJECTIVE

Management should ensure compliance with privacy, intellectual property, transborder dataflow and cryptographic regulations applicable to the IT practices of the organisation.

8.5 Electronic CommerceCONTROL OBJECTIVE

Management should ensure that formal contractsare in place establishing agreement between trad-ing partners on communication processes and onstandards for transaction message security anddata storage. When trading on the Internet, man-agement should enforce adequate controls toensure compliance with local laws and customson a world-wide basis.

8.6 Compliance with Insurance ContractsCONTROL OBJECTIVE

Management should ensure that insurance con-tract requirements are properly identified andcontinuously met.

PO8

PO9



Planning & OrganisationAssess Risks


assessing risks


of supporting management decisions through achieving IT objectivesand responding to threats by reducing complexity, increasingobjectivity and identifying important decision factors

is enabled by

the organisation engaging itself in IT risk-identification and impact analysis, involving multi-disciplinary functions and taking cost-effective measures to mitigate risks


• risk management ownership and accountability• different kinds of IT risks (technology, security, continuity,

regulatory, etc.)• defined and communicated risk tolerance profile• root cause analyses and risk brainstorming sessions• quantitative and/or qualitative risk measurement• risk assessment methodology• risk action plan• timely reassessment

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

SP PP P SS

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES9 ASSESS RISKS

9.1 Business Risk AssessmentCONTROL OBJECTIVE

Management should establish a systematic riskassessment framework. Such a framework shouldincorporate a regular assessment of the relevantinformation risks to the achievement of the busi-ness objectives, forming a basis for determininghow the risks should be managed to an accept-able level. The process should provide for riskassessments at both the global level and systemspecific level, for new projects as well as on arecurring basis, and with cross-disciplinary par-ticipation. Management should ensure thatreassessments occur and that risk assessmentinformation is updated with results of audits,inspections and identified incidents.

9.2 Risk Assessment ApproachCONTROL OBJECTIVE

Management should establish a general riskassessment approach which defines the scopeand boundaries, the methodology to be adoptedfor risk assessments, the responsibilities and therequired skills. Management should lead theidentification of the risk mitigation solution andbe involved in identifying vulnerabilities.Security specialists should lead threat identifica-tion and IT specialists should drive the controlselection. The quality of the risk assessmentsshould be ensured by a structured method andskilled risk assessors.

9.3 Risk IdentificationCONTROL OBJECTIVE

The risk assessment approach should focus onthe examination of the essential elements of riskand the cause/effect relationship between them.The essential elements of risk include tangibleand intangible assets, asset value, threats, vulner-abilities, safeguards, consequences and likeli-hood of threat. The risk identification processshould include qualitative and, where appropri-

ate, quantitative risk ranking and should obtaininput from management brainstorming, strategicplanning, past audits and other assessments. Therisk assessment should consider business, regula-tory, legal, technology, trading partner andhuman resources risks.

9.4 Risk MeasurementCONTROL OBJECTIVE

The risk assessment approach should ensure thatthe analysis of risk identification informationresults in a quantitative and/or qualitative mea-surement of risk to which the examined area isexposed. The risk acceptance capacity of theorganisation should also be assessed.

9.5 Risk Action Plan CONTROL OBJECTIVE

The risk assessment approach should provide forthe definition of a risk action plan to ensure thatcost-effective controls and security measuresmitigate exposure to risks on a continuing basis.The risk action plan should identify the risk strat-egy in terms of risk avoidance, mitigation oracceptance.

9.6 Risk AcceptanceCONTROL OBJECTIVE

The risk assessment approach should ensure theformal acceptance of the residual risk, dependingon risk identification and measurement, organisa-tional policy, uncertainty incorporated in the riskassessment approach itself and the cost effective-ness of implementing safeguards and controls.The residual risk should be offset with adequateinsurance coverage, contractually negotiated lia-bilities and self-insurance.

PO9


PO9



9.7 Safeguard SelectionCONTROL OBJECTIVE

While aiming for a reasonable, appropriate andproportional system of controls and safeguards,controls with the highest return on investment(ROI) and those that provide quick wins shouldreceive first priority. The control system alsoneeds to balance prevention, detection, correctionand recovery measures. Furthermore, manage-ment needs to communicate the purpose of thecontrol measures, manage conflicting measuresand monitor the continuing effectiveness of allcontrol measures.

9.8 Risk Assessment CommitmentCONTROL OBJECTIVE

Management should encourage risk assessmentas an important tool in providing information inthe design and implementation of internal con-trols, in the definition of the IT strategic plan andin the monitoring and evaluation mechanisms.

Planning & OrganisationAssess Risks

CONTROL OBJECTIVES





Planning & OrganisationManage ProjectsPO10


managing projects


to set priorities and to deliver on time and within budget

is enabled by

the organisation identifying and prioritising projects in line with theoperational plan and the adoption and application of sound projectmanagement techniques for each project undertaken


• business management sponsorship for projects • program management• project management capabilities• user involvement• task breakdown, milestone definition and phase approvals• allocation of responsibilities• rigorous tracking of milestones and deliverables• cost and manpower budgets, balancing internal

and external resources• quality assurance plans and methods• program and project risk assessments• transition from development to

operations

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PP

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES10 MANAGE PROJECTS

10.1 Project Management FrameworkCONTROL OBJECTIVE

Management should establish a general projectmanagement framework which defines the scopeand boundaries of managing projects, as well asthe project management methodology to beadopted and applied to each project undertaken.The methodology should cover, at a minimum,the allocation of responsibilities, task breakdown,budgeting of time and resources, milestones,check points and approvals.

10.2 User Department Participation in ProjectInitiationCONTROL OBJECTIVE

The organisation’s project management frame-work should provide for participation by theaffected user department management in the definition and authorisation of a development,implementation or modification project.

10.3 Project Team Membership andResponsibilitiesCONTROL OBJECTIVE

The organisation’s project management frame-work should specify the basis for assigning staffmembers to the project and define the responsi-bilities and authorities of the project team members.

10.4 Project DefinitionCONTROL OBJECTIVE

The organisation’s project management frame-work should provide for the creation of a clearwritten statement defining the nature and scopeof every implementation project before work onthe project begins.

10.5 Project ApprovalCONTROL OBJECTIVE

The organisation’s project management frameworkshould ensure that for each proposed project, theorganisation’s senior management reviews thereports of the relevant feasibility studies as abasis for its decision on whether to proceed withthe project.

10.6 Project Phase ApprovalCONTROL OBJECTIVE

The organisation’s project management frame-work should provide for designated managers ofthe user and IT functions to approve the workaccomplished in each phase of the cycle beforework on the next phase begins.

10.7 Project Master PlanCONTROL OBJECTIVE

Management should ensure that for eachapproved project a project master plan is createdwhich is adequate for maintaining control overthe project throughout its life and which includesa method of monitoring the time and costsincurred throughout the life of the project. Thecontent of the project plan should include state-ments of scope, objectives, required resourcesand responsibilities and should provide informa-tion to permit management to measure progress.

10.8 System Quality Assurance PlanCONTROL OBJECTIVE

Management should ensure that the implementa-tion of a new or modified system includes thepreparation of a quality plan which is then inte-grated with the project master plan and formallyreviewed and agreed to by all parties concerned.

10.9 Planning of Assurance MethodsCONTROL OBJECTIVE

Assurance tasks are to be identified during theplanning phase of the project management

PO10



Planning & OrganisationManage ProjectsPO10

framework. Assurance tasks should support theaccreditation of new or modified systems andshould assure that internal controls and securityfeatures meet the related requirements.

10.10 Formal Project Risk ManagementCONTROL OBJECTIVE

Management should implement a formal projectrisk management programme for eliminating orminimising risks associated with individual pro-jects (i.e., identifying and controlling the areas orevents that have the potential to cause unwantedchange).

10.11 Test PlanCONTROL OBJECTIVE

The organisation’s project management frame-work should require that a test plan be createdfor every development, implementation andmodification project.

10.12 Training PlanCONTROL OBJECTIVE

The organisation’s project management frame-work should require that a training plan be creat-ed for every development, implementation andmodification project.

10.13 Post-Implementation Review PlanCONTROL OBJECTIVE

The organisation’s project management frame-work should provide, as an integral part of theproject team’s activities, for the development of aplan for a post-implementation review of everynew or modified information system to ascertainwhether the project has delivered the plannedbenefits.


CONTROL OBJECTIVES





Planning & OrganisationManage QualityPO11


managing quality


to meet the IT customer requirements

is enabled by

the planning, implementing and maintaining of quality managementstandards and systems providing for distinct development phases, cleardeliverables and explicit responsibilities


• establishment of a quality culture• quality plans• quality assurance responsibilities• quality control practices• system development life cycle methodology• programme and system testing and documentation• quality assurance reviews and reporting• training and involvement of end user and

quality assurance personnel• development of a quality assurance

knowledge base• benchmarking against industry norms

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P SPP

Monitoring

Delivery &Support



peop

leap

plica

tions

techn

ology

facilit

iesda

ta

DETAILED CONTROL OBJECTIVE

CONTROL OBJECTIVES


11 MANAGE QUALITY

11.1 General Quality PlanCONTROL OBJECTIVE

Management should develop and regularly main-tain an overall quality plan based on the organi-sational and IT long-range plans. The plan shouldpromote the continuous improvement philosophyand answer the basic questions of what, who andhow.

11.2 Quality Assurance ApproachCONTROL OBJECTIVE

Management should establish a standardapproach regarding quality assurance which covers both general and project specific qualityassurance activities. The approach should prescribe the type(s) of quality assurance activities (such as reviews, audits, inspections,etc.) to be performed to achieve the objectives of the general quality plan. It should also requirespecific quality assurance reviews.

11.3 Quality Assurance PlanningCONTROL OBJECTIVE

Management should implement a quality assur-ance planning process to determine the scope andtiming of the quality assurance activities.

11.4 Quality Assurance Review of Adherence to IT Standards and ProceduresCONTROL OBJECTIVE

Management should ensure that the responsibili-ties assigned to the quality assurance personnelinclude a review of general adherence to ITstandards and procedures.

11.5 System Development Life Cycle MethodologyCONTROL OBJECTIVE

The organisation’s management should defineand implement IT standards and adopt a systemdevelopment life cycle methodology governingthe process of developing, acquiring, implement-ing and maintaining computerised information

systems and related technology. The chosen sys-tem development life cycle methodology shouldbe appropriate for the systems to be developed,acquired, implemented and maintained.

11.6 System Development Life Cycle Methodologyfor Major Changes to Existing TechnologyCONTROL OBJECTIVE

In the event of major changes to existing tech-nology, management should ensure that a systemdevelopment life cycle methodology is observed,as in the case of the acquisition or development ofnew technology.

11.7 Updating of the System Development LifeCycle MethodologyCONTROL OBJECTIVE

Management should implement a periodic reviewof its system development life cycle methodolo-gy to ensure that its provisions reflect currentgenerally accepted techniques and procedures.

11.8 Coordination and CommunicationCONTROL OBJECTIVE

Management should establish a process forensuring close coordination and communicationbetween customers of the IT function and systemimplementors. This process should entail struc-tured methods using the system development lifecycle methodology to ensure the provision ofquality IT solutions which meet the businessdemands. Management should promote an organ-isation which is characterised by close coopera-tion and communication throughout the systemdevelopment life cycle.

PO11



Planning & OrganisationManage QualityPO11

11.9 Acquisition and Maintenance Framework forthe Technology InfrastructureCONTROL OBJECTIVE

A general framework should be in place regard-ing the acquisition and maintenance of the tech-nology infrastructure. The different steps to befollowed regarding the technology infrastructure(such as acquiring; programming, documenting,and testing; parameter setting; maintaining andapplying fixes) should be governed by, and inline with, the acquisition and maintenance frame-work for the technology infrastructure.

11.10 Third-Party Implementor RelationshipsCONTROL OBJECTIVE

Management should implement a process toensure good working relationships with third-party implementors. Such a process should provide that the user and implementor agree toacceptance criteria, handling of changes, problemsduring development, user roles, facilities, tools,software, standards and procedures.

11.11 Programme Documentation StandardsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should incorporate standards forprogramme documentation which have beencommunicated to the concerned staff andenforced. The methodology should ensure thatthe documentation created during informationsystem development or modification projectsconforms to these standards.

11.12 Programme Testing StandardsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide standards coveringtest requirements, verification, documentationand retention for testing individual software unitsand aggregated programmes created as part ofevery information system development or modi-fication project.

11.13 System Testing StandardsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide standards coveringtest requirements, verification, documentation,and retention for the testing of the total system asa part of every information system developmentor modification project.

11.14 Parallel/Pilot TestingCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should define the circumstancesunder which parallel or pilot testing of newand/or existing systems will be conducted.

11.15 System Testing DocumentationCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide, as part of everyinformation system development, implementation,or modification project, that the documentedresults of testing the system are retained.


CONTROL OBJECTIVES


11.16 Quality Assurance Evaluation of Adherence toDevelopment StandardsCONTROL OBJECTIVE

The organisation’s quality assurance approachshould require that a post-implementation reviewof an operational information system assesswhether the project team adhered to the provi-sions of the system development life cyclemethodology.

11.17 Quality Assurance Review of the Achievementof IT ObjectivesCONTROL OBJECTIVE

The quality assurance approach should include areview of the extent to which particular systemsand application development activities haveachieved the objectives of the information services function.

11.18 Quality MetricsCONTROL OBJECTIVE

Management should define and use metrics tomeasure the results of activities, thus assessingwhether quality goals have been achieved.

11.19 Reports of Quality Assurance ReviewsCONTROL OBJECTIVE

Reports of quality assurance reviews should beprepared and submitted to management of userdepartments and the IT function.

PO11

CONTROL OBJECTIVES


A C Q U I S I T I O N & I M P L E M E N T A T I O N

AI



Acquisition & ImplementationIdentify Automated SolutionsAI1


identifying automated solutions


of ensuring an effective and efficient approach to satisfy the userrequirements

is enabled by

an objective and clear identification and analysis of the alternativeopportunities measured against user requirements


• knowledge of solutions available in the market• acquisition and implementation methodologies• user involvement and buy in• alignment with enterprise and IT strategies• information requirements definition• feasibility studies (costs, benefits, alternatives, etc.)• functionality, operability, acceptability and sustainability

requirements• compliance with information architecture• cost-effective security and control• supplier responsibilities

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P S


Monitoring

Delivery &Support


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES1 IDENTIFY AUTOMATED SOLUTIONS

1.1 Definition of Information RequirementsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that the businessrequirements satisfied by the existing system andto be satisfied by the proposed new or modifiedsystem (software, data and infrastructure) beclearly defined before a development, implemen-tation or modification project is approved. Thesystem development life cycle methodologyshould require that the solution’s functional andoperational requirements be specified includingperformance, safety, reliability, compatibility,security and legislation.

1.2 Formulation of Alternative Courses of ActionCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide for the analysis ofthe alternative courses of action that will satisfythe business requirements established for a pro-posed new or modified system.

1.3 Formulation of Acquisition StrategyCONTROL OBJECTIVE

Information systems acquisition, developmentand maintenance should be considered in thecontext of the organisation’s IT long- and short-range plans. The organisation’s system develop-ment life cycle methodology should provide for asoftware acquisition strategy plan definingwhether the software will be acquired off-the-shelf, developed internally, through contract orby enhancing the existing software, or a combi-nation of all these.

1.4 Third-Party Service RequirementsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide for the evaluation

of the requirements and the specifications for anRFP (request for proposal) when dealing with athird-party service vendor.

1.5 Technological Feasibility StudyCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide for an examinationof the technological feasibility of each alternativefor satisfying the business requirements estab-lished for the development of a proposed new ormodified information system project.

1.6 Economic Feasibility StudyCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide, in each proposedinformation systems development, implementa-tion and modification project, for an analysis ofthe costs and benefits associated with each alter-native being considered for satisfying the estab-lished business requirements.

1.7 Information ArchitectureCONTROL OBJECTIVE

Management should ensure that attention is paidto the enterprise data model while solutions arebeing identified and analysed for feasibility.

1.8 Risk Analysis ReportCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide, in each proposedinformation system development, implementa-tion or modification project, for an analysis anddocumentation of the security threats, potentialvulnerabilities and impacts, and the feasiblesecurity and internal control safeguards forreducing or eliminating the identified risk. Thisshould be realised in line with the overall riskassessment framework.

AI1



Acquisition & ImplementationIdentify Automated SolutionsAI1

1.9 Cost-Effective Security ControlsCONTROL OBJECTIVE

Management should ensure that the costs andbenefits of security are carefully examined inmonetary and non-monetary terms to guaranteethat the costs of controls do not exceed benefits.The decision requires formal management sign-off. All security requirements should be identi-fied at the requirements phase of a project andjustified, agreed and documented as part of theoverall business case for an information system.Security requirements for business continuitymanagement should be defined to ensure that the planned activation, fallback and resump-tion processes are supported by the proposedsolution.

1.10 Audit Trails DesignCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that adequate mechanisms for audit trails are available or canbe developed for the solution identified andselected. The mechanisms should provide theability to protect sensitive data (e.g., user ID’s)against discovery and misuse.

1.11 ErgonomicsCONTROL OBJECTIVE

Management should ensure that the informationsystem development, implementation and changeprojects undertaken by the IT function pay attention to ergonomic issues associated with theintroduction of automated solutions.

1.12 Selection of System SoftwareCONTROL OBJECTIVE

Management should ensure that a standard procedure is adhered to by the IT function toidentify all potential system software pro-grammes that will satisfy its operational requirements.

1.13 Procurement ControlCONTROL OBJECTIVE

Management should develop and implement acentral procurement approach describing a common set of procedures and standards to befollowed in the procurement of information technology related hardware, software and services. Products should be reviewed and testedprior to their use and the financial settlement.

1.14 Software Product AcquisitionCONTROL OBJECTIVE

Software product acquisition should follow theorganisation’s procurement policies.

1.15 Third-Party Software MaintenanceCONTROL OBJECTIVE

Management should require that for licensedsoftware acquired from third-party providers, theproviders have appropriate procedures to validate,protect and maintain the software product’sintegrity rights. Consideration should be given tothe support of the product in any maintenanceagreement related to the delivered product.

1.16 Contract Application ProgrammingCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that the procure-ment of contract programming services be justi-fied with a written request for services from adesignated member of the IT function. The con-tract should stipulate that the software, documen-tation and other deliverables are subject to test-ing and review prior to acceptance. In addition, itshould require that the end products of complet-ed contract programming services be tested andreviewed according to the related standards bythe IT function’s quality assurance group andother concerned parties (such as users, projectmanagers, etc.) before payment for the work andapproval of the end product. Testing to be includ-


CONTROL OBJECTIVES


ed in contract specifications should consist ofsystem testing, integration testing, hardware andcomponent testing, procedure testing, load andstress testing, tuning and performance testing,regression testing, user acceptance testing and,finally, pilot testing of the total system to avoidany unexpected system failure.

1.17 Acceptance of FacilitiesCONTROL OBJECTIVE

Management should ensure that an acceptanceplan for facilities to be provided is agreed uponwith the supplier in the contract and this plandefines the acceptance procedures and criteria. Inaddition, acceptance tests should be performed toguarantee that the accommodation and environ-ment meet the requirements specified in the con-tract.

1.18 Acceptance of TechnologyCONTROL OBJECTIVE

Management should ensure that an acceptanceplan for specific technology to be provided isagreed upon with the supplier in the contract andthis plan defines the acceptance procedures andcriteria. In addition, acceptance tests provided forin the plan should include inspection, functional-ity tests and workload trials.

AI1



Acquisition & ImplementationAcquire and Maintain Application SoftwareAI2


acquiring and maintaining application software


to provide automated functions which effectively support the businessprocess

is enabled by

the definition of specific statements of functional and operationalrequirements, and a phased implementation with clear deliverables


• functional testing and acceptance• application controls and security requirements• documentation requirements• application software life cycle• enterprise information architecture• system development life cycle methodology• user-machine interface• package customisation

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P S S SP


Monitoring

Delivery &Support


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES2 ACQUIRE AND MAINTAIN APPLICATION

SOFTWARE

2.1 Design MethodsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that appropriateprocedures and techniques, involving close liaison with system users, are applied to createthe design specifications for each new informa-tion system development project and to verifythe design specifications against the user require-ments.

2.2 Major Changes to Existing SystemsCONTROL OBJECTIVE

Management should ensure, that in the event ofmajor changes to existing systems, a similardevelopment process is observed as in the caseof the development of new systems.

2.3 Design ApprovalCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that the design spec-ifications for all information system developmentand modification projects be reviewed andapproved by management, the affected userdepartments and the organisation’s senior management, when appropriate.

2.4 File Requirements Definition andDocumentationCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that an appropriateprocedure be applied for defining and document-ing the file format for each information systemdevelopment or modification project. Such a procedure should ensure that the data dictionaryrules are respected.

2.5 Programme SpecificationsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that detailed writtenprogramme specifications be prepared for eachinformation system development or modificationproject. The methodology should further ensurethat programme specifications agree with systemdesign specifications.

2.6 Source Data Collection DesignCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that adequate mech-anisms for the collection and entry of data bespecified for each information system develop-ment or modification project.

2.7 Input Requirements Definition andDocumentationCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that adequate mech-anisms exist for defining and documenting theinput requirements for each information systemdevelopment or modification project.

2.8 Definition of InterfacesCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that all external andinternal interfaces are properly specified,designed and documented.

2.9 User-Machine InterfaceCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide for the developmentof an interface between the user and machinewhich is easy to use and self-documenting (bymeans of online help functions).

AI2



Acquisition & ImplementationAcquire and Maintain Application SoftwareAI2

2.10 Processing Requirements Definition andDocumentationCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that adequate mech-anisms exist for defining and documenting theprocessing requirements for each informationsystem development or modification project.

2.11 Output Requirements Definition andDocumentationCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that adequate mech-anisms exist for defining and documenting theoutput requirements for each information systemdevelopment or modification project.

2.12 ControllabilityCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that adequate mech-anisms for assuring the internal control and security requirements be specified for each information system development or modificationproject. The methodology should further ensurethat information systems are designed to includeapplication controls which guarantee the accura-cy, completeness, timeliness and authorisation of inputs, processing and outputs. Sensitivityassessment should be performed during initiationof system development or modification. Thebasic security and internal control aspects of asystem to be developed or modified should beassessed along with the conceptual design of thesystem in order to integrate security concepts inthe design as early as possible.

2.13 Availability as a Key Design FactorCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that availability isconsidered in the design process for new or mod-ified information systems at the earliest possiblestage. Availability should be analysed and, ifnecessary, increased through maintainability andreliability improvements.

2.14 IT Integrity Provisions in ApplicationProgramme SoftwareCONTROL OBJECTIVE

The organisation should establish procedures toassure, where applicable, that application pro-grammes contain provisions which routinely ver-ify the tasks performed by the software to helpassure data integrity, and which provide therestoration of the integrity through rollback orother means.

2.15 Application Software TestingCONTROL OBJECTIVE

Unit testing, application testing, integration testing, system testing, and load and stress testingshould be performed according to the project testplan and established testing standards before it isapproved by the user. Adequate measures shouldbe conducted to prevent disclosure of sensitiveinformation used during testing.

2.16 User Reference and Support MaterialsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that adequate userreference and support manuals be prepared(preferably in electronic format) as part of everyinformation system development or modificationproject.


CONTROL OBJECTIVES


2.17 Reassessment of System DesignCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should ensure that the systemdesign is reassessed whenever significant technical and/or logical discrepancies occur during system development or maintenance.

AI2

Acquisition & ImplementationAcquire and Maintain Technology Infrastructure



AI3


acquiring and maintaining technology infrastructure


to provide the appropriate platforms for supporting businessapplications

is enabled by

judicious hardware and software acquisition, standardising of software,assessment of hardware and software performance, and consistentsystem administration


• compliance with technology infrastructure directions and standards• technology assessment• installation, maintenance and change controls• upgrade, conversion and migration plans• use of internal and external infrastructures and/or resources• supplier responsibilities and relationships• change management • total cost of ownership• system software security

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P SP


Monitoring

Delivery &Support


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES3 ACQUIRE AND MAINTAIN TECHNOLOGY

INFRASTRUCTURE

3.1 Assessment of New Hardware and SoftwareCONTROL OBJECTIVE

Hardware and software selection criteria shouldbe based on the functional specifications for thenew or modified system and should identifymandatory and optional requirements.Procedures should be in place to assess newhardware and software for any impact on the performance of the overall system.

3.2 Preventative Maintenance for HardwareCONTROL OBJECTIVE

IT management should schedule routine andperiodic hardware maintenance to reduce the fre-quency and impact of performance failures.

3.3 System Software SecurityCONTROL OBJECTIVE

IT management should ensure that the set-up ofsystem software to be installed does not jeopar-dise the security of the data and programmesbeing stored on the system. Attention should bepaid to set-up and maintenance of system softwareparameters.

3.4 System Software InstallationCONTROL OBJECTIVE

Procedures should be implemented to ensure thatsystem software is installed in accordance withthe acquisition and maintenance framework forthe technology infrastructure. Testing should beperformed before use in the production environ-ment is authorised. A group independent of theusers and developers should control the move-ment of programmes and data among libraries.

3.5 System Software MaintenanceCONTROL OBJECTIVE

Procedures should be implemented to ensure thatsystem software is maintained in accordancewith the acquisition and maintenance frameworkfor the technology infrastructure.

3.6 System Software Change ControlsCONTROL OBJECTIVE

Procedures should be implemented to ensure thatsystem software changes are controlled in linewith the organisation’s change management procedures.

3.7 Use and Monitoring of System UtilitiesCONTROL OBJECTIVE

Policies and techniques should be implementedfor using, monitoring and evaluating the use ofsystem utilities. Responsibilities for using sensi-tive software utilities should be clearly definedand understood by developers, and the use of theutilities should be monitored and logged.

AI3



Acquisition & ImplementationDevelop and Maintain ProceduresAI4


developing and maintaining procedures


to ensure the proper use of the applications and the technologicalsolutions put in place

is enabled by

a structured approach to the development of user and operationsprocedure manuals, service requirements and training materials


• business process re-design• treating procedures as any other technology deliverable• timely development• user procedures and controls• operational procedures and controls• training materials• managing change

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P S S S


Monitoring

Delivery &Support


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES4 DEVELOP AND MAINTAIN PROCEDURES

4.1 Operational Requirements and Service LevelsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should ensure the timely definitionof operational requirements and service levels.

4.2 User Procedures ManualCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that adequate userprocedures manuals be prepared and refreshed aspart of every information system development,implementation or modification project.

4.3 Operations ManualCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide that an adequateoperations manual be prepared and kept up-to-date as part of every information system devel-opment, implementation or modification project.

4.4 Training MaterialsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should ensure that adequate train-ing materials are developed as part of everyinformation system development, implementa-tion or modification project. These materialsshould be focused on the system’s use in dailypractice.

AI4



Acquisition & ImplementationInstall and Accredit SystemsAI5


installing and accrediting systems


to verify and confirm that the solution is fit for the intended purpose

is enabled by

the realisation of a well-formalised installation migration, conversionand acceptance plan


• training of user and IT operations personnel• data conversion• a test environment reflecting the live environment• accreditation• post-implementation reviews and feedback• end user involvement in testing• continuous quality improvement plans• business continuity requirements• capacity and throughput measurement• agreed upon acceptance criteria

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P S S


Monitoring

Delivery &Support


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES5 INSTALL AND ACCREDIT SYSTEMS

5.1 Training CONTROL OBJECTIVE

Staff of the affected user departments and theoperations group of the IT function should betrained in accordance with the defined trainingplan and associated materials, as part of everyinformation systems development, implementa-tion or modification project.

5.2 Application Software Performance SizingCONTROL OBJECTIVE

Application software performance sizing (optimisation) should be established as an integral part of the organisation’s system development life cycle methodology to forecastthe resources required for operating new and significantly changed software.

5.3 Implementation PlanCONTROL OBJECTIVE

An implementation plan should be prepared,reviewed and approved by relevant parties and beused to measure progress. The implementationplan should address site preparation, equipmentacquisition and installation, user training, installa-tion of operating software changes, implementa-tion of operating procedures and conversion.

5.4 System ConversionCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should provide, as part of everyinformation system development, implementa-tion or modification project, that the necessaryelements from the old system are converted tothe new one according to a pre-established plan.

5.5 Data ConversionCONTROL OBJECTIVE

Management should require that a data conver-sion plan is prepared, defining the methods ofcollecting and verifying the data to be converted

and identifying and resolving any errors foundduring conversion. Tests to be performedinclude comparing the original and convertedfiles, checking the compatibility of the converteddata with the new system, checking master filesafter conversion to ensure the accuracy of masterfile data and ensuring that transactions affectingmaster files update both the old and the newmaster files during the period between initialconversion and final implementation. A detailedverification of the initial processing of the newsystem should be performed to confirm success-ful implementation. Management should ensurethat the responsibility for successful conversionof data lies with the system owners.

5.6 Testing Strategies and PlansCONTROL OBJECTIVE

Testing strategies and plans should be preparedand signed off by the system owner and ITmanagement.

5.7 Testing of ChangesCONTROL OBJECTIVE

Management should ensure that changes are test-ed in accordance with the impact and resourceassessment in a separate test environment by anindependent (from builders) test group before usein the regular operational environment begins.Back-out plans should also be developed.Acceptance testing should be carried out in anenvironment representative of the future opera-tional environment (e.g., similar security, internalcontrols, workloads, etc.).

5.8 Parallel/Pilot Testing Criteria andPerformanceCONTROL OBJECTIVE

Procedures should be in place to ensure that par-allel or pilot testing is performed in accordancewith a pre-established plan and that the criteriafor terminating the testing process are specifiedin advance.

AI5



Acquisition & ImplementationInstall and Accredit SystemsAI5

5.9 Final Acceptance TestCONTROL OBJECTIVE

Procedures should provide, as part of the finalacceptance or quality assurance testing of new ormodified information systems, for a formal eval-uation and approval of the test results by management of the affected user department(s)and the IT function. The tests should cover allcomponents of the information system (e.g.,application software, facilities, technology, user procedures).

5.10 Security Testing and AccreditationCONTROL OBJECTIVE

Management should define and implement proce-dures to ensure that operations and user manage-ment formally accept the test results and the levelof security for the systems, along with the remain-ing residual risk. These procedures should reflectthe agreed upon roles and responsibilities of enduser, system development, network managementand system operations personnel, taking intoaccount segregation, supervision and controlissues.

5.11 Operational TestCONTROL OBJECTIVE

Management should ensure that before movingthe system into operation, the user or designatedcustodian (the party designated to run the systemon behalf of the user) validates its operation as acomplete product, under conditions similar to theapplication environment and in the manner inwhich the system will be run in a productionenvironment.

5.12 Promotion to ProductionCONTROL OBJECTIVE

Management should define and implement for-mal procedures to control the handover of thesystem from development to testing to opera-tions. Management should require that systemowner authorisation is obtained before a newsystem is moved into production and that, beforethe old system is discontinued, the new systemwill have successfully operated through all daily,monthly and quarterly production cycles. Therespective environments should be segregatedand properly protected.

5.13 Evaluation of Meeting User RequirementsCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that a post-implementation review of operational information system requirements (e.g., capacity,throughput, etc.) be conducted to assess whetherthe users’ needs are being met by the system.

5.14 Management’s Post-Implementation ReviewCONTROL OBJECTIVE

The organisation’s system development life cyclemethodology should require that a post-imple-mentation review of an operational informationsystem assess and report on whether the systemdelivered the benefits envisioned in the most costeffective manner.


CONTROL OBJECTIVES





Acquisition & ImplementationManage ChangesAI6


managing changes


to minimise the likelihood of disruption, unauthorised alterations anderrors

is enabled by

a management system which provides for the analysis, implementationand follow-up of all changes requested and made to the existing ITinfrastructure


• identification of changes• categorisation, prioritisation and emergency procedures• impact assessment• change authorisation• release management• software distribution• use of automated tools• configuration management• business process re-design

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P PP SP


Monitoring

Delivery &Support


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES6 MANAGE CHANGES

6.1 Change Request Initiation and ControlCONTROL OBJECTIVE

IT management should ensure that all requestsfor changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changesshould be categorised and prioritised and specificprocedures should be in place to handle urgentmatters. Change requestors should be keptinformed about the status of their request.

6.2 Impact AssessmentCONTROL OBJECTIVE

A procedure should be in place to ensure that allrequests for change are assessed in a structuredway for all possible impacts on the operationalsystem and its functionality.

6.3 Control of ChangesCONTROL OBJECTIVE

IT management should ensure that change man-agement and software control and distributionare properly integrated with a comprehensiveconfiguration management system. The systemused to monitor changes to application systemsshould be automated to support the recording andtracking of changes made to large, complexinformation systems.

6.4 Emergency ChangesCONTROL OBJECTIVE

IT management should establish parametersdefining emergency changes and procedures tocontrol these changes when they circumvent thenormal process of technical, operational andmanagement assessment prior to implementation.The emergency changes should be recorded andauthorised by IT management prior to implementation.

6.5 Documentation and ProceduresCONTROL OBJECTIVE

The change process should ensure that wheneversystem changes are implemented, the associateddocumentation and procedures are updatedaccordingly.

6.6 Authorised MaintenanceCONTROL OBJECTIVE

IT management should ensure maintenance per-sonnel have specific assignments and that theirwork is properly monitored. In addition, theirsystem access rights should be controlled toavoid risks of unauthorised access to automatedsystems.

6.7 Software Release PolicyCONTROL OBJECTIVE

IT management should ensure that the release ofsoftware is governed by formal proceduresensuring sign-off, packaging, regression testing,handover, etc.

6.8 Distribution of SoftwareCONTROL OBJECTIVE

Specific internal control measures should beestablished to ensure distribution of the correctsoftware element to the right place, with integrity,and in a timely manner with adequate audit trails.

AI6

CONTROL OBJECTIVES


D E L I V E R Y & S U P P O R T

DS



Delivery & SupportDefine and Manage Service LevelsDS1


defining and managing service levels


to establish a common understanding of the level of service required

is enabled by

the establishment of service-level agreements which formalise theperformance criteria against which the quantity and quality of servicewill be measured


• formal agreements • definition of responsibilities • response times and volumes• charging• integrity guarantees• non-disclosure agreements• customer satisfaction criteria• cost/benefit analysis of required service levels• monitoring and reporting

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

S S S SSPP



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES1 DEFINE AND MANAGE SERVICE LEVELS

1.1 Service Level Agreement FrameworkCONTROL OBJECTIVE

Management should define a framework whereinit promotes the definition of formal service level agreements and defines the minimalcontents: availability, reliability, performance,capacity for growth, levels of support providedto users, continuity planning, security, minimumacceptable level of satisfactorily delivered sys-tem functionality, restrictions (limits on theamount of work), service charges, central printfacilities (availability), central print distributionand change procedures. Users and the ITfunction should have a written agreement whichdescribes the service level in qualitative andquantitative terms. The agreement defines theresponsibilities of both parties. The IT functionmust offer the agreed quality and quantity of service and the users must constrain the demandsthey place upon the service within the agreedlimits.

1.2 Aspects of Service Level AgreementsCONTROL OBJECTIVE

Explicit agreement should be reached on theaspects that a service level agreement shouldhave. The service level agreement should coverat least the following aspects: availability, reliability, performance, capacity for growth, levels of support provided to users, continuityplanning, security, minimum acceptable level ofsatisfactorily delivered system functionality,restrictions (limits on the amount of work), servicecharges, central print facilities (availability), central print distribution and change procedures.

1.3 Performance ProceduresCONTROL OBJECTIVE

Procedures should be put in place to ensure thatthe manner of and responsibilities for perfor-mance governing relations (e.g., non-disclosureagreements) between all the involved parties areestablished, coordinated, maintained and commu-nicated to all affected departments.

1.4 Monitoring and ReportingCONTROL OBJECTIVE

Management should appoint a service level manager who is responsible for monitoring andreporting on the achievement of the specifiedservice performance criteria and all problemsencountered during processing. The monitoringstatistics should be analysed on a timely basis.Appropriate corrective action should be taken andfailures should be investigated.

1.5 Review of Service Level Agreements andContractsCONTROL OBJECTIVE

Management should implement a regular reviewprocess for service level agreements and under-pinning contracts with third-party serviceproviders.

1.6 Chargeable ItemsCONTROL OBJECTIVE

Provisions for chargeable items should be included in the service level agreements to maketrade-offs possible on service levels versus costs.

1.7 Service Improvement ProgrammeCONTROL OBJECTIVE

Management should implement a process toensure that users and service level managers regularly agree on a service improvement pro-gramme for pursuing cost-justified improvementsto the service level.

DS1



Delivery & SupportManage Third-Party ServicesDS2


managing third-party services


to ensure that roles and responsibilities of third parties are clearlydefined, adhered to and continue to satisfy requirements

is enabled by

control measures aimed at the review and monitoring of existingagreements and procedures for their effectiveness and compliance withorganisation policy


• third-party service agreements• contract management• non-disclosure agreements• legal and regulatory requirements• service delivery monitoring and reporting• enterprise and IT risk assessments• performance rewards and penalties • internal and external organisational accountability • analysis of cost and service level variances

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

S SPP S SS



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES2 MANAGE THIRD-PARTY SERVICES

2.1 Supplier InterfacesCONTROL OBJECTIVE

Management should ensure that all third-partyproviders’ services are properly identified andthat the technical and organisational interfaceswith suppliers are documented.

2.2 Owner RelationshipsCONTROL OBJECTIVE

The customer organisation management shouldappoint a relationship owner who is responsiblefor ensuring the quality of the relationships withthird-parties.

2.3 Third-Party ContractsCONTROL OBJECTIVE

Management should define specific proceduresto ensure that for each relationship with a third-party service provider a formal contract isdefined and agreed upon before work starts.

2.4 Third-Party QualificationsCONTROL OBJECTIVE

Management should ensure that, before selection,potential third-parties are properly qualifiedthrough an assessment of their capability todeliver the required service (due diligence).

2.5 Outsourcing ContractsCONTROL OBJECTIVE

Specific organisational procedures should bedefined to ensure that the contract between thefacilities management provider and the organisa-tion is based on required processing levels, security, monitoring and contingency requirements,and other stipulations as appropriate.

2.6 Continuity of ServicesCONTROL OBJECTIVE

With respect to ensuring continuity of services,management should consider business risk relatedto the third-party in terms of legal uncertaintiesand the going concern concept, and negotiateescrow contracts where appropriate.

2.7 Security RelationshipsCONTROL OBJECTIVE

With regard to relationships with third-party service providers, management should ensurethat security agreements (e.g., non-disclosureagreements) are identified and explicitly statedand agreed to, and conform to universal businessstandards in accordance with legal and regulatoryrequirements, including liabilities.

2.8 MonitoringCONTROL OBJECTIVE

A process for monitoring of the service deliveryof the third-party should be set up by manage-ment to ensure the continuing adherence to thecontract agreements.

DS2



Delivery & SupportManage Performance and CapacityDS3


managing performance and capacity


to ensure that adequate capacity is available and that best and optimaluse is made of it to meet required performance needs

is enabled by

data collection, analysis and reporting on resource performance,application sizing and workload demand


• availability and performance requirements • automated monitoring and reporting• modeling tools• capacity management• resource availability• hardware and software price/performance changes

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PP S



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES3 MANAGE PERFORMANCE AND CAPACITY

3.1 Availability and Performance RequirementsCONTROL OBJECTIVE

The management process should ensure thatbusiness needs are identified regarding availabilityand performance of information services andconverted into availability terms and requirements.

3.2 Availability PlanCONTROL OBJECTIVE

Management should ensure the establishment ofan availability plan to achieve, monitor and control the availability of information services.

3.3 Monitoring and ReportingCONTROL OBJECTIVE

Management should implement a process toensure that the performance of IT resources iscontinuously monitored and exceptions arereported in a timely and comprehensive manner.

3.4 Modeling ToolsCONTROL OBJECTIVE

IT management should ensure that appropriatemodeling tools are used to produce a model ofthe current system which has been calibrated andadjusted against actual workload and is accuratewithin recommended load levels. Modeling toolsshould be used to assist with the prediction ofcapacity, configuration reliability, performanceand availability requirements. In-depth technicalinvestigations should be conducted on systemshardware and should include forecasts concerningfuture technologies.

3.5 Proactive Performance ManagementCONTROL OBJECTIVE

The performance management process shouldinclude forecasting capability to enable problemsto be corrected before they affect system perfor-mance. Analysis should be conducted on systemfailures and irregularities pertaining to frequency,degree of impact and amount of damage.

3.6 Workload ForecastingCONTROL OBJECTIVE

Controls are to be in place to ensure that work-load forecasts are prepared to identify trends andto provide information needed for the capacityplan.

3.7 Capacity Management of ResourcesCONTROL OBJECTIVE

IT management should establish a planningprocess for the review of hardware performanceand capacity to ensure that cost-justifiable capac-ity always exists to process the agreed workloadsand to provide the required performance qualityand quantity prescribed in service level agree-ments. The capacity plan should cover multiplescenarios.

3.8 Resources AvailabilityCONTROL OBJECTIVE

When identified as availability requirements,management should prevent resources frombeing unavailable by implementing fault tolerance mechanisms, prioritising tasks andequitable resource allocation mechanisms.

3.9 Resources ScheduleCONTROL OBJECTIVE

Management should ensure the timely acquisi-tion of required capacity, taking into accountaspects such as resilience, contingency, work-loads and storage plans.

DS3



Delivery & SupportEnsure Continuous ServiceDS4


ensuring continuous service


to make sure IT services are available as required and to ensure aminimum business impact in the event of a major disruption

is enabled by

having an operational and tested IT continuity plan which is in linewith the overall business continuity plan and its related businessrequirements


• criticality classification• alternative procedures• back-up and recovery• systematic and regular testing and training• monitoring and escalation processes• internal and external organisational responsibilities• business continuity activation, fallback and

resumption plans• risk management activities• assessment of single points of failure• problem management

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PSP



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES4 ENSURE CONTINUOUS SERVICE

4.1 IT Continuity FrameworkCONTROL OBJECTIVE

IT management, in cooperation with businessprocess owners, should establish a continuityframework which defines the roles, responsibili-ties and the risk-based approach/methodology tobe adopted, and the rules and structures to docu-ment the continuity plan as well as the approvalprocedures.

4.2 IT Continuity Plan Strategy and PhilosophyCONTROL OBJECTIVE

Management should ensure that the IT continuityplan is in line with the overall business continu-ity plan to ensure consistency. Furthermore, theIT continuity plan should take into account theIT long- and short-range plans to ensure consistency.

4.3 IT Continuity Plan ContentsCONTROL OBJECTIVE

IT management should ensure that a written planis developed containing the following: • Guidelines on how to use the continuity plan• Emergency procedures to ensure the safety of

all affected staff members• Response procedures meant to bring the busi-

ness back to the state it was in before the inci-dent or disaster

• Recovery procedures meant to bring the busi-ness back to the state it was in before the inci-dent or disaster

• Procedures to safeguard and reconstruct thehome site

• Co-ordination procedures with public authorities

• Communication procedures with stakeholders,employees, key customers, critical suppliers,stockholders and management

• Critical information on continuity teams,affected staff, customers, suppliers, publicauthorities and media

4.4 Minimising IT Continuity RequirementsCONTROL OBJECTIVE

IT management should establish procedures andguidelines for minimising the continuity require-ments with regard to personnel, facilities, hard-ware, software, equipment, forms, supplies andfurniture.

4.5 Maintaining the IT Continuity PlanCONTROL OBJECTIVE

IT management should provide for change con-trol procedures in order to ensure that the conti-nuity plan is up-to-date and reflects actual busi-ness requirements. This requires continuity planmaintenance procedures aligned with change andmanagement and human resources procedures.

4.6 Testing the IT Continuity PlanCONTROL OBJECTIVE

To have an effective continuity plan, manage-ment needs to assess its adequacy on a regularbasis or upon major changes to the business orIT infrastructure; this requires careful prepara-tion, documentation, reporting test results and,according to the results, implementing an actionplan.

4.7 IT Continuity Plan TrainingCONTROL OBJECTIVE

The disaster continuity methodology shouldensure that all concerned parties receive regulartraining sessions regarding the procedures to befollowed in case of an incident or disaster.

DS4



Delivery & SupportEnsure Continuous ServiceDS4

4.8 IT Continuity Plan DistributionCONTROL OBJECTIVE

Given the sensitive nature of information in thecontinuity plan, the latter should be distributedonly to authorised personnel and should be safe-guarded against unauthorised disclosure.Consequently, sections of the plan need to be dis-tributed on a need-to-know basis.

4.9 User Department Alternative ProcessingBack-up ProceduresCONTROL OBJECTIVE

The continuity methodology should ensure thatthe user departments establish alternative pro-cessing procedures that may be used until the ITfunction is able to fully restore its services after adisaster or an event.

4.10 Critical IT ResourcesCONTROL OBJECTIVE

The continuity plan should identify the criticalapplication programmes, third-party services,operating systems, personnel and supplies, datafiles and time frames needed for recovery after adisaster occurs. Critical data and operationsshould be identified, documented, prioritised andapproved by the business process owners, incooperation with IT management.

4.11 Back-up Site and HardwareCONTROL OBJECTIVE

Management should ensure that the continuitymethodology incorporates an identification ofalternatives regarding the back-up site and hard-ware as well as a final alternative selection. Ifapplicable, a formal contract for these type ofservices should be concluded.

4.12 Off-site Back-up StorageCONTROL OBJECTIVE

Off-site storage of critical back-up media, docu-mentation and other IT resources should beestablished to support recovery and business con-tinuity plans. Business process owners and ITfunction personnel should be involved in deter-mining what back-up resources need to be storedoff-site. The off-site storage facility should beenvironmentally appropriate to the media andother resources stored and should have a level ofsecurity commensurate with that needed to pro-tect the back-up resources from unauthorisedaccess, theft or damage. IT management shouldensure that off-site arrangements are periodicallyassessed, at least annually, for content, environ-mental protection and security.

4.13 Wrap-up ProceduresCONTROL OBJECTIVE

On successful resumption of the IT function aftera disaster, IT management should establish pro-cedures for assessing the adequacy of the planand update the plan accordingly.


CONTROL OBJECTIVES





Delivery & SupportEnsure Systems SecurityDS5


ensuring systems security


to safeguard information against unauthorised use, disclosure ormodification, damage or loss

is enabled by

logical access controls which ensure that access to systems, data andprogrammes is restricted to authorised users


• confidentiality and privacy requirements• authorisation, authentication and access control• user identification and authorisation profiles• need-to-have and need-to-know• cryptographic key management• incident handling, reporting and follow-up• virus prevention and detection• firewalls• centralised security administration• user training • tools for monitoring compliance,

intrusion testing and reporting

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P S SS



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES5 ENSURE SYSTEMS SECURITY

5.1 Manage Security MeasuresCONTROL OBJECTIVE

IT security should be managed such that securitymeasures are in line with business requirements.This includes:• Translating risk assessment information to the

IT security plans• Implementing the IT security plan• Updating the IT security plan to reflect

changes in the IT configuration• Assessing the impact of change requests on IT

security• Monitoring the implementation of the IT

security plan• Aligning IT security procedures to other

policies and procedures

5.2 Identification, Authentication and AccessCONTROL OBJECTIVE

The logical access to and use of IT computingresources should be restricted by the implemen-tation of adequate identification, authenticationand authorisation mechanisms, linking users andresources with access rules. Such mechanismsshould prevent unauthorised personnel, dial-upconnections and other system (network) entryports from accessing computer resources andminimise the need for authorised users to usemultiple sign-ons. Procedures should also be inplace to keep authentication and access mecha-nisms effective (e.g., regular password changes).

5.3 Security of Online Access to DataCONTROL OBJECTIVE

In an online IT environment, IT managementshould implement procedures in line with thesecurity policy that provides access security con-trol based on the individual’s demonstrated needto view, add, change or delete data.

5.4 User Account ManagementCONTROL OBJECTIVE

Management should establish procedures toensure timely action relating to requesting, estab-lishing, issuing, suspending and closing of useraccounts. A formal approval procedure outliningthe data or system owner granting the accessprivileges should be included. The security ofthird-party access should be defined contractual-ly and address administration and non-disclosurerequirements. Outsourcing arrangements shouldaddress the risks, security controls and proce-dures for information systems and networks inthe contract between the parties.

5.5 Management Review of User AccountsCONTROL OBJECTIVE

Management should have a control process inplace to review and confirm access rights period-ically. Periodic comparison of resources withrecorded accountability should be made to helpreduce the risk of errors, fraud, misuse or unau-thorised alteration.

5.6 User Control of User AccountsCONTROL OBJECTIVE

Users should systematically control the activityof their proper account(s). Also informationmechanisms should be in place to allow them tooversee normal activity as well as to be alerted tounusual activity in a timely manner.

5.7 Security SurveillanceCONTROL OBJECTIVE

IT security administration should ensure thatsecurity activity is logged and any indication ofimminent security violation is reported immedi-ately to all who may be concerned, internally andexternally, and is acted upon in a timely manner.

DS5



Delivery & SupportEnsure Systems SecurityDS5

5.8 Data ClassificationCONTROL OBJECTIVE

Management should implement procedures toensure that all data are classified in terms of sen-sitivity by a formal and explicit decision by thedata owner according to the data classificationscheme. Even data needing “no protection”should require a formal decision to be so desig-nated. Owners should determine disposition andsharing of data, as well as whether and whenprograms and files are to be maintained, archivedor deleted. Evidence of owner approval anddata disposition should be maintained. Policiesshould be defined to support reclassification ofinformation, based on changing sensitivities.The classification scheme should include criteriafor managing exchanges of information betweenorganisations, addressing both security and com-pliance with relevant legislation.

5.9 Central Identification and Access RightsManagementCONTROL OBJECTIVE

Controls are in place to ensure that the identifica-tion and access rights of users as well as theidentity of system and data ownership are estab-lished and managed in a unique and central man-ner to obtain consistency and efficiency of globalaccess control.

5.10 Violation and Security Activity ReportsCONTROL OBJECTIVE

IT security administration should ensure that vio-lation and security activity is logged, reported,reviewed and appropriately escalated on a regu-lar basis to identify and resolve incidents involv-ing unauthorised activity. The logical access tothe computer resources accountability informa-tion (security and other logs) should be grantedbased upon the principle of least privilege, orneed-to-know.

5.11 Incident HandlingCONTROL OBJECTIVE

Management should establish a computer securityincident handling capability to address securityincidents by providing a centralised platform withsufficient expertise and equipped with rapid andsecure communication facilities. Incident manage-ment responsibilities and procedures should beestablished to ensure an appropriate, effective andtimely response to security incidents.

5.12 ReaccreditationCONTROL OBJECTIVE

Management should ensure that reaccreditationof security (e.g., through “tiger teams”) is period-ically performed to keep up-to-date the formallyapproved security level and the acceptance ofresidual risk.

5.13 Counterparty TrustCONTROL OBJECTIVE

Organisational policy should ensure that controlpractices are implemented to verify the authen-ticity of the counterparty providing electronicinstructions or transactions. This can be imple-mented through trusted exchange of passwords,tokens or cryptographic keys.

5.14 Transaction AuthorisationCONTROL OBJECTIVE

Organisational policy should ensure that, whereappropriate, controls are implemented to provideauthenticity of transactions and establish thevalidity of a user’s claimed identity to the sys-tem. This requires use of cryptographic tech-niques for signing and verifying transactions.


CONTROL OBJECTIVES


5.15 Non-RepudiationCONTROL OBJECTIVE

Organisational policy should ensure that, whereappropriate, transactions cannot be denied byeither party, and controls are implemented to provide non-repudiation of origin or receipt,proof of submission, and receipt of transactions.This can be implemented through digital signa-tures, time stamping and trusted third-parties,with appropriate policies that take into account relevant regulatory requirements.

5.16 Trusted PathCONTROL OBJECTIVE

Organisational policy should ensure that sensi-tive transaction data is only exchanged over atrusted path. Sensitive information includes secu-rity management information, sensitive transac-tion data, passwords and cryptographic keys. Toachieve this, trusted channels may need to beestablished using encryption between users,between users and systems, and between sys-tems.

5.17 Protection of Security FunctionsCONTROL OBJECTIVE

All security related hardware and software shouldat all times be protected against tampering tomaintain their integrity and against disclosure ofsecret keys. In addition, organisations shouldkeep a low profile about their security design,but should not base their security on the designbeing secret.

5.18 Cryptographic Key ManagementCONTROL OBJECTIVE

Management should define and implement pro-cedures and protocols to be used for generation,change, revocation, destruction, distribution, cer-tification, storage, entry, use and archiving ofcryptographic keys to ensure the protection ofkeys against modification and unauthorised dis-

closure. If a key is compromised, managementshould ensure this information is propagated toany interested party through the use ofCertificate Revocation Lists or similar mecha-nisms.

5.19 Malicious Software Prevention, Detection andCorrectionCONTROL OBJECTIVE

Regarding malicious software, such as computerviruses or trojan horses, management shouldestablish a framework of adequate preventative,detective and corrective control measures, andoccurrence response and reporting. Businessand IT management should ensure that proce-dures are established across the organisation toprotect information systems and technology fromcomputer viruses. Procedures should incorporatevirus protection, detection, occurrence responseand reporting.

5.20 Firewall Architectures and Connections withPublic NetworksCONTROL OBJECTIVE

If connection to the Internet or other public net-works exists, adequate firewalls should be opera-tive to protect against denial of services and anyunauthorised access to the internal resources;should control any application and infrastructuremanagement flows in both directions; and shouldprotect against denial of service attacks.

5.21 Protection of Electronic ValueCONTROL OBJECTIVE

Management should protect the continuedintegrity of all cards or similar physical mechanisms used for authentication or storage of financial or other sensitive information, takinginto consideration the related facilities, devices,employees and validation methods used.

DS5



Delivery & SupportIdentify and Allocate CostsDS6


identifying and allocating costs


to ensure a correct awareness of the costs attributable to IT services

is enabled by

a cost accounting system which ensures that costs are recorded,calculated and allocated to the required level of detail and to theappropriate service offering


• resources identifiable and measurable• charging policies and procedures• charge rates and charge-back process• linkage to service level agreement• automated reporting• verification of benefit realisation• external benchmarking

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


6 IDENTIFY AND ALLOCATE COSTS

6.1 Chargeable ItemsCONTROL OBJECTIVE

IT management, with guidance from senior management, should ensure that chargeable itemsare identifiable, measurable and predictable byusers. Users should be able to control the use of information services and associated billing levels.

6.2 Costing ProceduresCONTROL OBJECTIVE

IT management should define and implementcosting procedures to provide management information on the costs of delivering information services while ensuring cost effectiveness. Variances between forecasts andactual costs are to be adequately analysed andreported on to facilitate the cost monitoring. In addition, management should periodically evaluate the results of the IT function’s job cost accounting procedures, in light of the organisation’s other financial measurement systems.

6.3 User Billing and Chargeback ProceduresCONTROL OBJECTIVE

IT management should define and use billing andchargeback procedures. It should maintain userbilling and chargeback procedures that encouragethe proper usage of computer resources andassure the fair treatment of user departments andtheir needs. The rate charged should reflect theassociated costs of providing services.

DS6DETAILED CONTROL OBJECTIVES



Delivery & SupportEducate and Train UsersDS7


educating and training users


to ensure that users are making effective use of technology and areaware of the risks and responsibilities involved

is enabled by

a comprehensive training and development plan


• training curriculum• skills inventory• awareness campaigns• awareness techniques• use of new training technologies and methods• personnel productivity• development of knowledge base

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P S



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES7 EDUCATE AND TRAIN USERS

7.1 Identification of Training NeedsCONTROL OBJECTIVE

In line with the long-range plan, managementshould establish and maintain procedures foridentifying and documenting the training needsof all personnel using information services. Atraining curriculum for each group of employeesshould be established.

7.2 Training OrganisationCONTROL OBJECTIVE

Based on the identified needs, managementshould define the target groups, identify andappoint trainers, and organise timely training sessions. Training alternatives should also beinvestigated (internal or external location,in-house trainers or third-party trainers, etc.).

7.3 Security Principles and Awareness TrainingCONTROL OBJECTIVE

All personnel must be trained and educated insystem security principles, including periodicupdates with special focus on security awarenessand incident handling. Management should provide an education and training programmethat includes: ethical conduct of the IT function,security practices to protect against harm fromfailures affecting availability, confidentiality,integrity and performance of duties in a securemanner.

DS7



Delivery & SupportAssist and Advise CustomersDS8


assisting and advising customers


to ensure that any problem experienced by the user is appropriatelyresolved

is enabled by

a help desk facility which provides first-line support and advice


• customer query and problem response • query monitoring and clearance• trend analysis and reporting• development of knowledge base • root cause analysis• problem tracking and escalation

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES8 ASSIST AND ADVISE CUSTOMERS

8.1 Help DeskCONTROL OBJECTIVE

User support should be established within a“help desk” function. Individuals responsible forperforming this function should closely interactwith problem management personnel.

8.2 Registration of Customer QueriesCONTROL OBJECTIVE

Procedures should be in place to ensure that allcustomer queries are adequately registered by thehelp desk.

8.3 Customer Query EscalationCONTROL OBJECTIVE

Help desk procedures should ensure that cus-tomer queries which cannot immediately beresolved are appropriately escalated within the IT function.

8.4 Monitoring of ClearanceCONTROL OBJECTIVE

Management should establish procedures fortimely monitoring of the clearance of customerqueries. Long outstanding queries should beinvestigated and acted upon.

8.5 Trend Analysis and ReportingCONTROL OBJECTIVE

Procedures should be in place which assure adequate reporting with regard to customerqueries and resolution, response times and trendidentification. The reports should be adequatelyanalysed and acted upon.

DS8



Delivery & SupportManage the ConfigurationDS9


managing the configuration


to account for all IT components, prevent unauthorised alterations,verify physical existence and provide a basis for sound changemanagement

is enabled by

controls which identify and record all IT assets and their physicallocation, and a regular verification programme which confirms theirexistence


• asset tracking• configuration change management• checking for unauthorised software • software storage controls• software and hardware interrelationships and integration• use of automated tools

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P S S



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES9 MANAGE THE CONFIGURATION

9.1 Configuration RecordingCONTROL OBJECTIVE

Procedures should be in place to ensure that onlyauthorised and identifiable configuration itemsare recorded in inventory upon acquisition. Theseprocedures should also provide for the authoriseddisposal and consequential sale of configurationitems. Moreover, procedures should be in placeto keep track of changes to the configuration(e.g., new item, status change from developmentto prototype). Logging and control should be anintegrated part of the configuration recordingsystem including reviews of changed records.

9.2 Configuration BaselineCONTROL OBJECTIVE

IT management should be ensured that a baselineof configuration items is kept as a checkpoint toreturn to after changes.

9.3 Status AccountingCONTROL OBJECTIVE

IT management should ensure that the configura-tion records reflect the actual status of all config-uration items including the history of changes.

9.4 Configuration ControlCONTROL OBJECTIVE

Procedures should ensure that the existence andconsistency of recording of the IT configurationis periodically checked.

9.5 Unauthorised SoftwareCONTROL OBJECTIVE

Clear policies restricting the use of personal andunlicensed software should be developed andenforced. The organisation should use virusdetection and remedy software. Business and IT management should periodically check the

organisation’s personal computers for unautho-rised software. Compliance with the require-ments of software and hardware license agree-ments should be reviewed on a periodic basis.

9.6 Software StorageCONTROL OBJECTIVE

A file storage area (library) should be defined forall valid software items in appropriate phases ofthe system development life cycle. These areasshould be separated from each other and fromdevelopment, testing and production file storageareas.

9.7 Configuration Management ProceduresCONTROL OBJECTIVE

Configuration management procedures should beestablished to ensure that critical components ofthe organisation’s IT resources have been appro-priately identified and are maintained. Thereshould be an integrated process whereby currentand future processing demands are measured andprovide input to the IT resource acquisitionsprocess.

9.8 Software AccountabilityCONTROL OBJECTIVE

Software should be labeled, inventoried andproperly licensed. Library management softwareshould be used to produce audit trails of programchanges and to maintain program version num-bers, creation-date information and copies of pre-vious versions.

DS9



Delivery & SupportManage Problems and IncidentsDS10


managing problems and incidents


to ensure that problems and incidents are resolved, and the causeinvestigated to prevent any recurrence

is enabled by

a problem management system which records and progresses allincidents


• audit trails of problems and solutions• timely resolution of reported problems• escalation procedures• incident reports• accessibility of configuration information• supplier responsibilities• coordination with change management

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P SP



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


10 MANAGE PROBLEMS AND INCIDENTS

10.1 Problem Management SystemCONTROL OBJECTIVE

IT management should define and implement aproblem management system to ensure that alloperational events which are not part of the stan-dard operation (incidents, problems and errors)are recorded, analysed and resolved in a timelymanner. Emergency programme change proce-dures should be promptly tested, documented,approved and reported. Incident reports should be established in the case of significantproblems.

10.2 Problem EscalationCONTROL OBJECTIVE

IT management should define and implementproblem escalation procedures to ensure thatidentified problems are solved in the most effi-cient way on a timely basis. These proceduresshould ensure that these priorities are appropri-ately set. The procedures should also documentthe escalation process for the activation of the ITcontinuity plan.

10.3 Problem Tracking and Audit TrailCONTROL OBJECTIVE

The problem management system should providefor adequate audit trail facilities which allowtracing from incident to underlying cause (e.g.,package release or urgent change implementa-tion) and back. It should closely interwork withchange management, availability managementand configuration management.

10.4 Emergency and Temporary AccessAuthorisationsCONTROL OBJECTIVE

Emergency and temporary access authorisationsshould be documented on standard forms andmaintained on file, approved by appropriatemanagers, securely communicated to the securityfunction and automatically terminated after apredetermined period.

10.5 Emergency Processing PrioritiesCONTROL OBJECTIVE

Emergency processing priorities should be estab-lished, documented and approved by appropriateprogram and IT management.

DS10DETAILED CONTROL OBJECTIVES



Delivery & SupportManage DataDS11


managing data


to ensure that data remains complete, accurate and valid during itsinput, update and storage

is enabled by

an effective combination of application and general controls over theIT operations


• form design• source document controls• input, processing and output controls• media identification, movement and library management• data back-up and recovery• authentication and integrity• data ownership• data administration policies• data models and data representation standards• integration and consistency across platforms• legal and regulatory requirements

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES11 MANAGE DATA

11.1 Data Preparation ProceduresCONTROL OBJECTIVE

Management should establish data preparationprocedures to be followed by user departments.In this context, input form design should help toassure that errors and omissions are minimised.Error handling procedures during data origina-tion should reasonably ensure that errors andirregularities are detected, reported and corrected.

11.2 Source Document Authorisation ProceduresCONTROL OBJECTIVE

Management should ensure that source documentsare properly prepared by authorised personnelwho are acting within their authority and that an adequate segregation of duties is in place regarding the origination and approval of sourcedocuments.

11.3 Source Document Data CollectionCONTROL OBJECTIVE

The organisation’s procedures should ensure thatall authorised source documents are completeand accurate, properly accounted for and trans-mitted in a timely manner for entry.

11.4 Source Document Error HandlingCONTROL OBJECTIVE

Error handling procedures during data origination should reasonably ensure that errorsand irregularities are detected, reported and corrected.

11.5 Source Document RetentionCONTROL OBJECTIVE

Procedures should be in place to ensure originalsource documents are retained or are reproducibleby the organisation for an adequate amount oftime to facilitate retrieval or reconstruction ofdata as well as to satisfy legal requirements.

11.6 Data Input Authorisation ProceduresCONTROL OBJECTIVE

The organisation should establish appropriateprocedures to ensure that data input is performedonly by authorised staff.

11.7 Accuracy, Completeness and AuthorisationChecksCONTROL OBJECTIVE

Transaction data entered for processing (people-generated, system-generated or interfaced inputs)should be subject to a variety of controls tocheck for accuracy, completeness and validity.Procedures should also be established to assurethat input data is validated and edited as close tothe point of origination as possible.

11.8 Data Input Error HandlingCONTROL OBJECTIVE

The organisation should establish procedures forthe correction and resubmission of data whichwas erroneously input.

11.9 Data Processing IntegrityCONTROL OBJECTIVE

The organisation should establish procedures forthe processing of data that ensure separation ofduties is maintained and that work performed isroutinely verified. The procedures should ensureadequate update controls such as run-to-run control totals and master file update controls arein place.

11.10 Data Processing Validation and EditingCONTROL OBJECTIVE

The organisation should establish procedures toensure that data processing validation, authenti-cation and editing are performed as close to thepoint of origination as possible. When usingArtificial Intelligence systems, these systemsshould be placed in an interactive control frame-work with human operators to ensure that vitaldecisions are approved.

DS11




11.11 Data Processing Error HandlingCONTROL OBJECTIVE

The organisation should establish data processingerror handling procedures that enable erroneoustransactions to be identified without beingprocessed and without undue disruption of theprocessing of other valid transactions.

11.12 Output Handling and RetentionCONTROL OBJECTIVE

The organisation should establish procedures forthe handling and retention of output from its ITapplication programs. In case negotiable instru-ments (e.g., value cards) are the output recipi-ents, special care should be taken to prevent misuse.

11.13 Output DistributionCONTROL OBJECTIVE

The organisation should establish and communi-cate written procedures for the distribution of IToutput.

11.14 Output Balancing and ReconciliationCONTROL OBJECTIVE

The organisation should establish procedures forassuring that output routinely is balanced to therelevant control totals. Audit trails should be provided to facilitate the tracing of transactionprocessing and the reconciliation of disrupteddata.

11.15 Output Review and Error HandlingCONTROL OBJECTIVE

The organisation’s management should establishprocedures for assuring that the accuracy of output reports is reviewed by the provider and therelevant users. Procedures should also be in placefor controlling errors contained in the output.

11.16 Security Provision for Output ReportsCONTROL OBJECTIVE

The organisation should establish procedures forassuring that the security of output reports ismaintained for those awaiting distribution, aswell as those already distributed to users.

11.17 Protection of Sensitive Information DuringTransmission and TransportCONTROL OBJECTIVE

Management should ensure that adequate protec-tion of sensitive information is provided duringtransmission and transport against unauthorisedaccess, modification and misaddressing.

11.18 Protection of Disposed Sensitive InformationCONTROL OBJECTIVE

Management should define and implement pro-cedures to prevent access to sensitive informa-tion and software from computers, disks andother equipment or media when they are dis-posed of or transferred to another use. Such pro-cedures should guarantee that data marked asdeleted or to be disposed cannot be retrieved byany internal or third party.

11.19 Storage ManagementCONTROL OBJECTIVE

Procedures should be developed for data storagewhich consider retrieval requirements, and costeffectiveness and security policy.

11.20 Retention Periods and Storage TermsCONTROL OBJECTIVE

Retention periods and storage terms should bedefined for documents, data, programmes andreports and messages (incoming and outgoing) aswell as the data (keys, certificates) used for theirencryption and authentication.


CONTROL OBJECTIVES


11.21 Media Library Management SystemCONTROL OBJECTIVE

The IT function should establish procedures toassure that contents of its media library contain-ing data are inventoried systematically, that anydiscrepancies disclosed by a physical inventoryare remedied in a timely fashion and that mea-sures are taken to maintain the integrity of mag-netic media stored in the library.

11.22 Media Library Management ResponsibilitiesCONTROL OBJECTIVE

Housekeeping procedures designed to protectmedia library contents should be established byIT management. Standards should be defined forthe external identification of magnetic media andthe control of their physical movement and stor-age to support accountability. Responsibilities formedia (magnetic tape, cartridge, disks anddiskettes) library management should be assignedto specific members of the IT function.

11.23 Back-up and RestorationCONTROL OBJECTIVE

Management should implement a proper strategyfor back-up and restoration to ensure that itincludes a review of business requirements, aswell as the development, implementation, testingand documentation of the recovery plan.Procedures should be set up to ensure that back-ups are satisfying the above-mentioned require-ments.

11.24 Back-up JobsCONTROL OBJECTIVE

Procedures should be in place to ensure back-upsare taken in accordance with the defined back-upstrategy and the usability of back-ups is regularlyverified.

11.25 Back-up StorageCONTROL OBJECTIVE

Back-up procedures for IT-related media shouldinclude the proper storage of the data files, soft-ware and related documentation, both on-site andoff-site. Back-ups should be stored securely andthe storage sites periodically reviewed regardingphysical access security and security of data filesand other items.

11.26 ArchivingCONTROL OBJECTIVE

Management should implement a policy and pro-cedures for ensuring that archival meets legaland business requirements, and is properly safe-guarded and accounted for.

11.27 Protection of Sensitive MessagesCONTROL OBJECTIVE

Regarding data transmission over the Internet orany other public network, management shoulddefine and implement procedures and protocolsto be used to ensure integrity, confidentiality andnon-repudiation of sensitive messages.

11.28 Authentication and IntegrityCONTROL OBJECTIVE

The authentication and integrity of informationoriginated outside the organisation, whetherreceived by telephone, voicemail, paper docu-ment, fax or e-mail, should be appropriatelychecked before potentially critical action istaken.

DS11





11.29 Electronic Transaction IntegrityCONTROL OBJECTIVE

Taking into consideration that the traditionalboundaries of time and geography are lessreliant, management should define and imple-ment appropriate procedures and practices forsensitive and critical electronic transactionsensuring integrity and authenticity of:• atomicity (indivisible unit of work, all of its

actions succeed or they all fail)• consistency (if the transaction cannot achieve

a stable end state, it must return the system toits initial state)

• isolation (a transaction’s behavior is notaffected by other transactions that executeconcurrently)

• durability (transaction’s effects are permanentafter it commits, its changes should survivesystem failures)

11.30 Continued Integrity of Stored DataCONTROL OBJECTIVE

Management should ensure that the integrity andcorrectness of the data kept on files and othermedia (e.g., electronic cards) is checked periodi-cally. Specific attention should be paid to valuetokens, reference files and files containing priva-cy information.

CONTROL OBJECTIVES





Delivery & SupportManage FacilitiesDS12


managing facilities


to provide a suitable physical surrounding which protects the ITequipment and people against man-made and natural hazards

is enabled by

the installation of suitable environmental and physical controls whichare regularly reviewed for their proper functioning


• access to facilities• site identification• physical security• inspection and escalation policies• business continuity planning and crisis management• personnel health and safety• preventive maintenance policies• environmental threat protection• automated monitoring

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES12 MANAGE FACILITIES

12.1 Physical SecurityCONTROL OBJECTIVE

Appropriate physical security and access controlmeasures should be established for IT facilities,including off-site use of information devices inconformance with the general security policy.Physical security and access controls shouldaddress not only the area containing system hard-ware, but also locations of wiring used to con-nect elements of the system, supporting services(such as electric power), backup media and anyother elements required for the system’s opera-tion. Access should be restricted to individualswho have been authorised to gain such access.Where IT resources are located in public areas,they should be appropriately protected to preventor deter loss or damage from theft or vandalism.

12.2 Low Profile of the IT SiteCONTROL OBJECTIVE

IT management should ensure a low profile iskept and the physical identification of the site ofthe IT operations is limited.

12.3 Visitor EscortCONTROL OBJECTIVE

Appropriate procedures are to be in place ensur-ing that individuals who are not members of theIT function’s operations group are escorted by amember of that group when they must enter thecomputer facilities. A visitor’s log should be keptand reviewed regularly.

12.4 Personnel Health and SafetyCONTROL OBJECTIVE

Health and safety practices should be put inplace and maintained in conformance withapplicable international, national, regional, stateand local laws and regulations.

12.5 Protection Against Environmental FactorsCONTROL OBJECTIVE

IT management should assure that sufficientmeasures are put in place and maintained forprotection against environmental factors (e.g.,fire, dust, power, excessive heat and humidity).Specialised equipment and devices to monitorand control the environment should be installed.

12.6 Uninterruptible Power SupplyCONTROL OBJECTIVE

Management should assess regularly the need for uninterruptable power supply batteries andgenerators for critical IT applications to secureagainst power failures and fluctuations. Whenjustified, the most appropriate equipment shouldbe installed.

DS12



Delivery & SupportManage OperationsDS13


managing operations


to ensure that important IT support functions are performed regularlyand in an orderly fashion

is enabled by

a schedule of support activities which is recorded and cleared for theaccomplishment of all activities


• operations procedure manual• start-up process documentation• network services management• workload and personnel scheduling• shift hand-over process• system event logging• coordination with change, availability and

business continuity management• preventive maintenance• service level agreements• automated operations• incident logging, tracking and escalation

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

P P S S



Monitoring

Delivery &Support

peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES13 MANAGE OPERATIONS

13.1 Processing Operations Procedures andInstructions ManualCONTROL OBJECTIVE

IT management should establish and documentstandard procedures for IT operations (includingnetwork operations). All IT solutions and plat-forms in place should be operated using theseprocedures, which should be reviewed periodical-ly to ensure effectiveness and adherence.

13.2 Start-up Process and Other OperationsDocumentationCONTROL OBJECTIVE

IT management should ensure that the operationsstaff is adequately familiar and confident withthe start-up process and other operations tasks byhaving them documented, periodically tested andadjusted when required.

13.3 Job SchedulingCONTROL OBJECTIVE

IT management should ensure that the continu-ous scheduling of jobs, processes and tasks isorganised into the most efficient sequence, max-imising throughput and utilisation, to meet theobjectives set in service level agreements. Theinitial schedules as well as changes to theseschedules should be appropriately authorised.

13.4 Departures from Standard Job SchedulesCONTROL OBJECTIVE

Procedures should be in place to identify, investigate and approve departures from standardjob schedules.

13.5 Processing ContinuityCONTROL OBJECTIVE

Procedures should require processing continuityduring operator shift changes by providing forformal handover of activity, status updates andreports on current responsibilities.

13.6 Operations LogsCONTROL OBJECTIVE

Management controls should guarantee that sufficient chronological information is being storedin operations logs to enable the reconstruction,review and examination of the time sequences ofprocessing and the other activities surrounding orsupporting processing.

13.7 Safeguard Special Forms and Output DevicesCONTROL OBJECTIVE

Management should establish appropriate physi-cal safeguards over special forms, such as nego-tiable instruments, and over sensitive outputdevices, such as signature cartridges, taking intoconsideration proper accounting of IT resources,forms or items requiring additional protectionand inventory management.

13.8 Remote OperationsCONTROL OBJECTIVE

For remote operations, specific procedures shouldensure that the connection and disconnection ofthe links to the remote site(s) are defined andimplemented.

DS13

CONTROL OBJECTIVES


M O N I T O R I N G

M



Monitoring Monitor the ProcessesM1


monitoring the processes


to ensure the achievement of the performance objectives set for the ITprocesses

is enabled by

the definition of relevant performance indicators, the systematic andtimely reporting of performance and prompt acting upon deviations


• scorecards with performance drivers and outcome measures• customer satisfaction assessments• management reporting• knowledge base of historical performance• external benchmarking

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PP S S S SS Delivery &Support


Monitoring


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES1 MONITOR THE PROCESSES

1.1 Collecting Monitoring DataCONTROL OBJECTIVE

For the IT and internal control processes, man-agement should ensure relevant performanceindicators (e.g., benchmarks) from both internaland external sources are being defined, and thatdata is being collected for the creation of man-agement information reports and exceptionreports regarding these indicators. Controlsshould also be aimed at validating the proprietyand integrity of both organisational and individ-ual performance measures and indicators.

1.2 Assessing PerformanceCONTROL OBJECTIVE

Services to be delivered by the IT functionshould be measured (key performance indicatorsand/or critical success factors) by managementand be compared with target levels. Assessmentsof the IT function should be performed on acontinuous basis.

1.3 Assessing Customer SatisfactionCONTROL OBJECTIVE

At regular intervals management should measurecustomer satisfaction regarding the servicesdelivered by the IT function to identify shortfallsin service levels and establish improvementobjectives.

1.4 Management ReportingCONTROL OBJECTIVE

Management reports should be provided forsenior management’s review of the organisation’sprogress toward identified goals. Status reportsshould include the extent to which plannedobjectives have been achieved, deliverablesobtained, performance targets met and risks miti-gated. Upon review, appropriate managementaction should be initiated and controlled.

M1



MonitoringAssess Internal Control AdequacyM2


assessing internal control adequacy


to ensure the achievement of the internal control objectives set for theIT processes

is enabled by

the commitment to monitoring internal controls, assessing theireffectiveness, and reporting on them on a regular basis


• responsibilities for internal control• ongoing internal control monitoring• benchmarks• error and exception reporting• self-assessments• management reporting• compliance with legal and regulatory requirements

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y

PP S S P SS Delivery &Support


Monitoring


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES2 ASSESS INTERNAL CONTROL ADEQUACY

2.1 Internal Control MonitoringCONTROL OBJECTIVE

Management should monitor the effectiveness ofinternal controls in the normal course of opera-tions through management and supervisory activ-ities, comparisons, reconciliations and other rou-tine actions. Deviations should evoke analysisand corrective action. In addition, deviationsshould be communicated to the individualresponsible for the function and also at least onelevel of management above that individual.Serious deviations should be reported to seniormanagement.

2.2 Timely Operation of Internal ControlsCONTROL OBJECTIVE

Reliance on internal controls requires thatcontrols operate promptly to highlight errors andinconsistencies, and that these are correctedbefore they impact production and delivery.Information regarding errors, inconsistencies andexceptions should be kept and systematicallyreported to management.

2.3 Internal Control Level ReportingCONTROL OBJECTIVE

Management should report information oninternal control levels and exceptions to theaffected parties to ensure the continuedeffectiveness of its internal control system.Actions should be taken to identify whatinformation is needed at a particular level ofdecision making.

2.4 Operational Security and Internal ControlAssuranceCONTROL OBJECTIVE

Operational security and internal control assur-ance should be established and periodicallyrepeated, with self-assessment or independentaudit to examine whether or not the security andinternal controls are operating according to the

stated or implied security and internal controlrequirements. Ongoing monitoring activities bymanagement should look for vulnerabilities andsecurity problems.

M2


MonitoringObtain Independent AssuranceM3



obtaining independent assurance


to increase confidence and trust among the organisation, customers,and third-party providers

is enabled by

independent assurance reviews carried out at regular intervals


• independent certifications and accreditation• independent effectiveness evaluations• independent assurance of compliance with laws and regulatory

requirements• independent assurance of compliance with contractual commitments• third-party service provider reviews and benchmarking• performance of assurance reviews by qualified personnel• proactive audit involvement

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y



Monitoring


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


DETAILED CONTROL OBJECTIVES3 OBTAIN INDEPENDENT ASSURANCE

3.1 Independent Security and Internal ControlCertification/Accreditation of IT ServicesCONTROL OBJECTIVE

Management should obtain independentcertification/accreditation of security and internal controls prior to implementing criticalnew IT services and re-certification/re-accreditation of these services on a routinecycle after implementation.

3.2 Independent Security and Internal ControlCertification/Accreditation of Third-PartyService ProvidersCONTROL OBJECTIVE

Management should obtain independentcertification/accreditation of security and internalcontrols prior to using IT service providers andre-certification/re-accreditation on a routinecycle.

3.3 Independent Effectiveness Evaluation of ITServicesCONTROL OBJECTIVE

Management should obtain independentevaluation of the effectiveness of IT services ona routine cycle.

3.4 Independent Effectiveness Evaluation ofThird-Party Service ProvidersCONTROL OBJECTIVE

Management should obtain independentevaluation of the effectiveness of IT serviceproviders on a routine cycle.

3.5 Independent Assurance of Compliance withLaws and Regulatory Requirements andContractual CommitmentsCONTROL OBJECTIVE

Management should obtain independentassurance of the IT function’s compliance withlegal and regulatory requirements, andcontractual commitments on a routine cycle.

3.6 Independent Assurance of Compliance withLaws and Regulatory Requirements andContractual Commitments by Third-PartyService ProvidersCONTROL OBJECTIVE

Management should obtain independentassurance of third-party service providers’compliance with legal and regulatoryrequirements and contractual commitments on aroutine cycle.

3.7 Competence of Independent AssuranceFunctionCONTROL OBJECTIVE

Management should ensure that the independentassurance function possesses the technicalcompetence, and skills and knowledge necessaryto perform such reviews in an effective, efficientand economical manner.

3.8 Proactive Audit InvolvementCONTROL OBJECTIVE

IT management should seek audit involvement ina proactive manner before finalising IT servicesolutions.

M3



MonitoringProvide for Independent AuditM4


providing for independent audit


to increase confidence levels and benefit from best practice advice

is enabled by

independent audits carried out at regular intervals


• audit independence• proactive audit involvement• performance of audits by qualified personnel• clearance of findings and recommendations• follow-up activities• impact assessments of audit recommendations (costs, benefits and

risks)

effec

tivene

sseff

icien

cyco

nfide

ntiali

tyint

egrity

avail

abilit

yco

mplian

cerel

iabilit

y



Monitoring


peop

leap

plica

tions

techn

ology

facilit

iesda

ta

CONTROL OBJECTIVES


4 PROVIDE FOR INDEPENDENT AUDIT

4.1 Audit CharterCONTROL OBJECTIVE

A charter for the audit function should beestablished by the organisation’s seniormanagement. This document should outline theresponsibility, authority and accountability of theaudit function. The charter should be reviewedperiodically to assure that the independence,authority and accountability of the audit functionare maintained.

4.2 IndependenceCONTROL OBJECTIVE

The auditor should be independent from theauditee in attitude and appearance (actual andperceived). Auditors should not be affiliated withthe section or department being audited, and, tothe extent possible, should also be independentof the subject organisation itself. Thus, the auditfunction is to be sufficiently independent of thearea being audited to permit objectivecompletion of the audit.

4.3 Professional Ethics and StandardsCONTROL OBJECTIVE

The audit function should ensure adherence toapplicable codes of professional ethics (e.g.,Code of Professional Ethics of the InformationSystems Audit and Control Association) andauditing standards (e.g., Standards forInformation Systems Auditing of the InformationSystems Audit and Control Association) in allthat they do. Due professional care should beexercised in all aspects of the audit work,including the observance of applicable audit andIT standards.

4.4 CompetenceCONTROL OBJECTIVE

Management should ensure that the auditorsresponsible for the review of the organisation'sIT activities are technically competent andcollectively possess the skills and knowledge(i.e., CISA domains) necessary to perform suchreviews in an effective, efficient and economicalmanner. Management should ensure that auditstaff assigned to information systems auditingtasks maintain their technical competencethrough appropriate continuing professionaleducation.

4.5 PlanningCONTROL OBJECTIVE

Senior management should establish a plan toensure that regular and independent audits areobtained regarding the effectiveness, efficiencyand economy of security and internal controlprocedures, and management's ability to controlIT function activities. Senior management shoulddetermine priorities with regard to obtainingindependent audits within this plan. Auditorsshould plan the information systems audit workto address the audit objectives and to complywith applicable professional auditing standards.

4.6 Performance of Audit WorkCONTROL OBJECTIVE

Audits should be appropriately supervised toprovide assurances that audit objectives areachieved and applicable professional auditingstandards are met. Auditors should ensure thatthey obtain sufficient, reliable, relevant anduseful evidence to achieve the audit objectiveseffectively. The audit findings and conclusionsare to be supported by appropriate analysis andinterpretation of this evidence.

M4


DETAILED CONTROL OBJECTIVES


MonitoringProvide for Independent AuditM4


4.7 ReportingCONTROL OBJECTIVE

The organisation’s audit function should providea report, in an appropriate form, to intendedrecipients upon the completion of audit work.The audit report should state the scope andobjectives of the audit, the period of coverage,and the nature and extent of the audit workperformed. The report should identify theorganisation, the intended recipients and anyrestrictions on circulation. The audit reportshould also state the findings, conclusions andrecommendations concerning the audit workperformed, and any reservations or qualificationsthat the auditor has with respect to the audit.

4.8 Follow-up ActivitiesCONTROL OBJECTIVE

Resolution of audit comments rests withmanagement. Auditors should request andevaluate appropriate information on previousfindings, conclusions and recommendations todetermine whether appropriate actions have beenimplemented in a timely manner.

CONTROL OBJECTIVES


A P P E N D I C E S

CONTROL OBJECTIVES


The following Management Guideline and Maturity Model identify the Critical Success Factors (CSFs), KeyGoal Indicators (KGIs), Key Performance Indicators (KPIs) and Maturity Model for IT governance. First, ITgovernance is defined, articulating the business need. Next, the information criteria related to IT governance areidentified. The business need is measured by the KGIs and enabled by a control statement, leveraged by all the ITresources. The achievement of the enabling control statement is measured by the KPIs, which consider the CSFs.The Maturity Model is used to evaluate an organisation’s level of achievement of IT governance—from Non-existent (the lowest level) to Initial/Ad Hoc, to Repeatable but Intuitive, to Defined Process, to Managed andMeasurable, to Optimised (the highest level). To achieve the Optimised maturity level for IT governance, anorganisation must be at least at the Optimised level for the Monitoring domain and at least at the Managed andMeasurable level for all other domains.

(See the COBIT Management Guidelines for a thorough discussion of the use of these tools.)

IT GOVERNANCE MANAGEMENT GUIDELINE

Appendix ICONTROL OBJECTIVES


Appendix I

IT GOVERNANCEMANAGEMENT GUIDELINEGovernance over information technology and its processes with thebusiness goal of adding value, while balancing risk versus return

ensures delivery of information to the business that addressesthe required Information Criteria and is measured byKey Goal Indicators

is enabled by creating and maintaining a system ofprocess and control excellence appropriate for thebusiness that directs and monitors the business valuedelivery of IT

considers Critical Success Factors that leverage all IT Resources and is measured byKey Performance Indicators


Information Criteria

Critical Success Factors

Key Goal Indicators• Enhanced performance and cost management • Improved return on major IT investments• Improved time to market• Increased quality, innovation and risk

management• Appropriately integrated and standardised

business processes• Reaching new and satisfying existing

customers• Availability of appropriate bandwidth,

computing power and IT delivery mechanisms• Meeting requirements and expectations of the

customer of the process on budget and on time• Adherence to laws, regulations, industry

standards and contractual commitments • Transparency on risk taking and adherence to

the agreed organisational risk profile • Benchmarking comparisons of IT governance

maturity• Creation of new service delivery channels

• IT governance activities are integrated into the enterprise governance process and leadership behaviours

• IT governance focuses on the enterprise goals, strategicinitiatives, the use of technology to enhance the business and onthe availability of sufficient resources and capabilities to keepup with the business demands

• IT governance activities are defined with a clear purpose,documented and implemented, based on enterprise needs andwith unambiguous accountabilities

• Management practices are implemented to increase efficient andoptimal use of resources and increase the effectiveness of ITprocesses

• Organisational practices are established to enable: sound over-sight; a control environment/culture; risk assessment as standardpractice; degree of adherence to established standards; monitor-ing and follow up of control deficiencies and risks

• Control practices are defined to avoid breakdowns in internalcontrol and oversight

• There is integration and smooth interoperability of the morecomplex IT processes such as problem, change andconfiguration management

• An audit committee is established to appoint and oversee anindependent auditor, focusing on IT when driving audit plans,and review the results of audits and third-party reviews.

people

applications

technology

facilities

data

IT Resources

Key Performance Indicators• Improved cost-efficiency of IT processes (costs

vs. deliverables) • Increased number of IT action plans for process

improvement initiatives• Increased utilisation of IT infrastructure • Increased satisfaction of stakeholders (survey

and number of complaints)• Improved staff productivity (number of

deliverables) and morale (survey)• Increased availability of knowledge and

information for managing the enterprise • Increased linkage between IT and enterprise

governance• Improved performance as measured by IT

balanced scorecards

CONTROL OBJECTIVES


Appendix ICONTROL OBJECTIVESIT Governance Maturity ModelGovernance over information technology and its processeswith the business goal of adding value, while balancing riskversus return

0 Non-existent There is a complete lack of anyrecognisable IT governance process. The organisationhas not even recognised that there is an issue to beaddressed and hence there is no communication aboutthe issue.

1 Initial /Ad Hoc There is evidence that the organisationhas recognised that IT governance issues exist and needto be addressed. There are, however, no standardisedprocesses, but instead there are ad hoc approaches appliedon an individual or case-by-case basis. Management’sapproach is chaotic and there is only sporadic, non-consistent communication on issues and approaches toaddress them. There may be some acknowledgement ofcapturing the value of IT in outcome-oriented performance of related enterprise processes. There is nostandard assessment process. IT monitoring is onlyimplemented reactively to an incident that has causedsome loss or embarrassment to the organisation.

2 Repeatable but Intuitive There is global awarenessof IT governance issues. IT governance activities andperformance indicators are under development, whichinclude IT planning, delivery and monitoring processes.As part of this effort, IT governance activities areformally established into the organisation’s changemanagement process, with active senior managementinvolvement and oversight. Selected IT processes areidentified for improving and/or controlling coreenterprise processes and are effectively planned andmonitored as investments, and are derived within thecontext of a defined IT architectural framework.Management has identified basic IT governancemeasurements and assessment methods and techniques,however, the process has not been adopted across theorganisation. There is no formal training andcommunication on governance standards andresponsibilities are left to the individual. Individualsdrive the governance processes within various IT projectsand processes. Limited governance tools are chosen and

implemented for gathering governance metrics, but maynot be used to their full capacity due to a lack ofexpertise in their functionality.

3 Defined Process The need to act with respect to ITgovernance is understood and accepted. A baseline set ofIT governance indicators is developed, where linkagesbetween outcome measures and performance drivers aredefined, documented and integrated into strategic andoperational planning and monitoring processes.Procedures have been standardised, documented andimplemented. Management has communicatedstandardised procedures and informal training isestablished. Performance indicators over all ITgovernance activities are being recorded and tracked,leading to enterprise-wide improvements. Althoughmeasurable, procedures are not sophisticated, but are theformalisation of existing practices. Tools arestandardised, using currently available techniques. ITBalanced Business Scorecard ideas are being adopted bythe organization. It is, however, left to the individual toget training, to follow the standards and to apply them.Root cause analysis is only occasionally applied. Mostprocesses are monitored against some (baseline) metrics,but any deviation, while mostly being acted upon byindividual initiative, would unlikely be detected bymanagement. Nevertheless, overall accountability of keyprocess performance is clear and management isrewarded based on key performance measures.

4 Managed and Measurable There is fullunderstanding of IT governance issues at all levels,supported by formal training. There is a clearunderstanding of who the customer is and responsibilitiesare defined and monitored through service levelagreements. Responsibilities are clear and processownership is established. IT processes are aligned withthe business and with the IT strategy. Improvement in ITprocesses is based primarily upon a quantitativeunderstanding and it is possible to monitor and measurecompliance with procedures and process metrics. Allprocess stakeholders are aware of risks, the importanceof IT and the opportunities it can offer. Management hasdefined tolerances under which processes must operate.Action is taken in many, but not all cases whereprocesses appear not to be working effectively or


Appendix I

efficiently. Processes are occasionally improved and bestinternal practices are enforced. Root cause analysis isbeing standardised. Continuous improvement isbeginning to be addressed. There is limited, primarilytactical, use of technology, based on mature techniquesand enforced standard tools. There is involvement of allrequired internal domain experts. IT governance evolvesinto an enterprise-wide process. IT governance activitiesare becoming integrated with the enterprise governanceprocess.

5 Optimised There is advanced and forward-lookingunderstanding of IT governance issues and solutions.Training and communication is supported by leading-edge concepts and techniques. Processes have beenrefined to a level of external best practice, based onresults of continuous improvement and maturitymodeling with other organisations. The implementationof these policies has led to an organisation, people andprocesses that are quick to adapt and fully support IT

governance requirements. All problems and deviationsare root cause analysed and efficient action is expedientlyidentified and initiated. IT is used in an extensive, integrated and optimised manner to automate theworkflow and provide tools to improve quality andeffectiveness. The risks and returns of the IT processesare defined, balanced and communicated across theenterprise. External experts are leveraged andbenchmarks are used for guidance. Monitoring, self-assessment and communication about governanceexpectations are pervasive within the organisation andthere is optimal use of technology to supportmeasurement, analysis, communication and training.Enterprise governance and IT governance arestrategically linked, leveraging technology and humanand financial resources to increase the competitiveadvantage of the enterprise.

CONTROL OBJECTIVES


The COBIT project continues to be supervised by a ProjectSteering Committee formed by international representativesfrom industry, academia, government and the security andcontrol profession. The Project Steering Committee hasbeen instrumental in the development of the COBITFramework and in the application of the research results.International working groups were established for the pur-pose of quality assurance and expert review of the project’sinterim research and development deliverables. Overallproject guidance is provided by the IT GovernanceInstitute.

RESEARCH AND APPROACH FOR EARLIER DEVELOPMENT Starting with the COBIT Framework defined in the 1st

edition, the application of international standards andguidelines and research into best practices have led to thedevelopment of the control objectives. Audit guidelineswere next developed to assess whether these control objec-tives are appropriately implemented.

Research for the 1st and 2nd editions included the collectionand analysis of identified international sources and was carried out by teams in Europe (Free University ofAmsterdam), the US (California Polytechnic University)and Australia (University of New South Wales). Theresearchers were charged with the compilation, review,assessment and appropriate incorporation of internationaltechnical standards, codes of conduct, quality standards,professional standards in auditing and industry practicesand requirements, as they relate to the Framework and toindividual control objectives. After collection and analysis,the researchers were challenged to examine each domainand process in depth and suggest new or modified controlobjectives applicable to that particular IT process.Consolidation of the results was performed by the COBITSteering Committee and the Director of Research ofISACF.

RESEARCH AND APPROACH FOR THE 3RD EDITION The COBIT 3rd Edition project consisted of developing theManagement Guidelines and updating COBIT 2nd Editionbased on new and revised international references.

Furthermore, the COBIT Framework was revised andenhanced to support increased management control, to

introduce performance management and to further developIT governance. In order to provide management with anapplication of the Framework so that it can assess andmake choices for control implementation and improve-ments over its information and related technology, as wellas measure performance, the Management Guidelinesinclude Maturity Models, Critical Success Factors, KeyGoal Indicators and Key Performance Indicators related tothe Control Objectives.

Management Guidelines was developed by using a world-wide panel of 40 experts from industry, academia, govern-ment and the IT security and control profession. Theseexperts participated in a residential workshop guided byprofessional facilitators and using development guidelinesdefined by the COBIT Steering Committee. The workshopwas strongly supported by the Gartner Group andPricewaterhouseCoopers, who not only provided thoughtleadership but also sent several of their experts on control,performance management and information security. Theresults of the workshop were draft Maturity Models,Critical Success Factors, Key Goal Indicators and KeyPerformance Indicators for each of COBIT’s 34 high-levelcontrol objectives. Quality assurance of the initial deliver-ables was conducted by the COBIT Steering Committee andthe results were posted for exposure on the ISACA website. The Management Guidelines document was finallyprepared to offer a new management-oriented set of tools,while providing integration and consistency with the COBITFramework.

The update to the Control Objectives, based on new andrevised international references, was conducted by mem-bers of ISACA chapters, under the guidance of COBITSteering Committee members. The intention was not toperform a global analysis of all material or a redevelop-ment of the Control Objectives, but to provide an incre-mental update process.

The results of the development of the ManagementGuidelines were then used to revise the COBIT Framework,especially the considerations, goals and enabler statementsof the high-level control objectives.

Appendix II

COBIT PROJECT DESCRIPTION


COSO: Committee of Sponsoring Organisations of the Treadway Commission. Internal Control — Integrated Framework.2 Vols. American Institute of Certified Accountants, New Jersey, 1994.

OECD Guidelines: Organisation for Economic Co-operation and Development. Guidelines for the Security of Information,Paris, 1992.

DTI Code of Practice for Information Security Management: Department of Trade and Industry and British StandardInstitute. A Code of Practice for Information Security Management, London, 1993, 1995.

ISO 9000-3: International Organisation for Standardisation. Quality Management and Quality Assurance Standards — Part3: Guidelines for the Application of ISO 9001 to the development, supply and maintenance of software, Switzerland, 1991.

An Introduction to Computer Security: The NIST Handbook: NIST Special Publication 800-12, National Institute ofStandards and Technology, U.S. Department of Commerce, Washington, DC, 1995.

ITIL IT Management Practices: Information Technology Infrastructure Library. Practices and guidelines developed by theCentral Computer and Telecommunications Agency (CCTA), London, 1989.

IBAG Framework: Draft Framework from the Infosec Business Advisory Group to SOGIS (Senior Officials Group onInformation Security, advising the European Commission), Brussels, 1994.

NSW Premier’s Office Statements of Best Practices and Planning Information Management and Techniques:Statements of Best Practice #1 through #6. Premier’s Department New South Wales, Government of New South Wales,Australia, 1990 through 1994.

Memorandum Dutch Central Bank: Memorandum on the Reliability and Continuity of Electronic Data Processing inBanking. De Nederlandsche Bank, Reprint from Quarterly Bulletin #3, Netherlands, 1998.

EDPAF Monograph #7, EDI: An Audit Approach: Jamison, Rodger. EDI: An Audit Approach, Monograph Series #7,Information Systems Audit and Control Foundation, Inc., Rolling Meadows, IL, April 1994.

PCIE (President’s Council on Integrity and Efficiency) Model Framework: A Model Framework for Management OverAutomated Information Systems. Prepared jointly by the President’s Council on Management Improvement and the President’sCouncil on Integrity and Efficiency, Washington, DC, 1987.

Japan Information Systems Auditing Standards: Information System Auditing Standard of Japan. Provided by the ChuoAudit Corporation, Tokyo, August 1994.

CONTROL OBJECTIVES Controls in an Information Systems Environment: Control Guidelines and AuditProcedures: EDP Auditors Foundation (now the Information Systems Audit and Control Foundation), Fourth Edition, RollingMeadows, IL, 1992.

CISA Job Analysis: Information Systems Audit and Control Association Certification Board. “Certified Information SystemsAuditor Job Analysis Study,” Rolling Meadows, IL, 1994.

IFAC International Information Technology Guidelines—Managing Security of Information: International Federation ofAccountants, New York, 1998.

IFAC International Guidelines on Information Technology Management—Managing Information Technology Planningfor Business Impact: International Federation of Accountants, New York, 1999.

Guide for Auditing for Controls and Security, A System Development Life Cycle Approach: NIST Special Publication500-153: National Institute of Standards and Technology, U.S. Department of Commerce, Washington, DC, 1988.

Government Auditing Standards: US General Accounting Office, Washington, DC, 1999.

SPICE: Software Process Improvement and Capability Determination. A standard on software process improvement, BritishStandards Institution, London, 1995.

Denmark Generally Accepted IT Management Practices: The Institute of State Authorized Accountants, Denmark, 1994.

COBIT PRIMARY REFERENCE MATERIAL

Appendix III

CONTROL OBJECTIVES


DRI International, Professional Practices for Business Continuity Planners: Disaster Recovery Institute International.Guideline for Business Continuity Planners, St. Louis, MO, 1997.

IIA, SAC Systems Audibility and Control: Institute of Internal Auditors Research Foundation, Systems Audibility andControl Report, Altamonte Springs, FL, 1991, 1994.

IIA, Professional Practices Pamphlet 97-1, Electronic Commerce: Institute of Internal Auditors Research Foundation,Altamonte Springs, FL, 1997.

E & Y Technical Reference Series: Ernst & Young, SAP R/3 Audit Guide, Cleveland, OH, 1996.

C & L Audit Guide SAP R/3: Coopers & Lybrand, SAP R/3: Its Use, Control and Audit, New York, 1997.

ISO IEC JTC1/SC27 Information Technology — Security: International Organisation for Standardisation (ISO) TechnicalCommittee on Information Technology Security, Switzerland, 1998.

ISO IEC JTC1/SC7 Software Engineering: International Organisation for Standardisation (ISO) Technical Committee onSoftware Process Assessment. An Assessment Model and Guidance Indicator, Switzerland, 1992.

ISO TC68/SC2/WG4, Information Security Guidelines for Banking and Related Financial Services: InternationalOrganisation for Standardisation (ISO) Technical Committee on Banking and Financial Services, Draft, Switzerland, 1997.

Common Criteria and Methodology for Information Technology Security Evaluation: CSE (Canada), SCSSI (France),BSI (Germany), NLNCSA (Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA), 1999.

Recommended Practice for EDI: EDIFACT (EDI for Administration Commerce and Trade), Paris, 1987.

TickIT: Guide to Software Quality Management System Construction and Certification. British Department of Trade andIndustry (DTI), London, 1994

ESF Baseline Control—Communications: European Security Forum, London. Communications Network Security,September 1991; Baseline Controls for Local Area Networks, September, 1994.

ESF Baseline Control—Microcomputers: European Security Forum, London. Baseline Controls Microcomputers Attachedto Network, June 1990.

Computerized Information Systems (CIS) Audit Manual: EDP Auditors Foundation (now the Information Systems Auditand Control Foundation), Rolling Meadows, IL, 1992.

Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1): US General Accounting Office,Washington, DC 1999.

Guide for Developing Security Plans for Information Technology: NIST Special Publication 800-18, National Institute forStandards and Technology, US Department of Commerce, Washington, DC, 1998.

Financial Information Systems Control Audit Manual (FISCAM): US General Accounting Office, Washington, DC, 1999.

BS7799-Information Security Management: British Standards Institute, London, 1999.

CICA Information Technology Control Guidelines, 3rd Edition: Canadian Institute of Chartered Accountants, Toronto,1998.

ISO/IEC TR 1335-n Guidelines for the Management of IT Security (GMITS), Parts 1-5: International Organisation forStandardisation, Switzerland, 1998.

AICPA/CICA SysTrust™ Principles and Criteria for Systems Reliability, Version 1.0: American Institute of CertifiedPublic Accountants, New York, and Canadian Institute of Chartered Accountants, Toronto, 1999.

Appendix III


AICPA American Institute of Certified Public AccountantsCICA Canadian Institute of Chartered AccountantsCISA Certified Information Systems AuditorCCEB Common Criteria for Information Technology SecurityControl The policies, procedures, practices and organisational structures designed to provide reasonable

assurance that business objectives will be achieved and that undesired events will be prevented ordetected and corrected

COSO Committee of Sponsoring Organisations of the Treadway CommissionDRI Disaster Recovery Institute InternationalDTI Department of Trade and Industry of the United KingdomEDIFACT Electronic Data Interchange for Administration, Commerce and TradeEDPAF Electronic Data Processing Auditors Foundation (now ISACF)ESF European Security Forum, a cooperation of 70+ primarily European multi-nationals with the goal of

researching common security and control issues in ITGAO US General Accounting OfficeI4 International Information Integrity Institute, similar association as the ESF, with similar goals but

primarily US-based and run by Stanford Research InstituteIBAG Infosec Business Advisory Group, industry representatives who advise the Infosec Committee. This

Committee is composed of government officials of the European Community and itself advises theEuropean Commission on IT security matters.

IFAC International Federation of AccountantsIIA Institute of Internal AuditorsINFOSEC Advisory Committee for IT Security Matters to the European CommissionISACA Information Systems Audit and Control AssociationISACF Information Systems Audit and Control FoundationISO International Organisation for Standardisation (with offices in Geneva, Switzerland)ISO9000 Quality management and quality assurance standards as defined by ISOIT Control Objective A statement of the desired result or purpose to be achieved by implementing control procedures in a

particular IT activityITIL Information Technology Infrastructure LibraryITSEC Information Technology Security Evaluation Criteria. The harmonised criteria of France, Germany, the

Netherlands and the United Kingdom, since then also supported by the European Commission (see alsoTCSEC, the US equivalent).

NBS National Bureau of Standards of the USNIST (formerly NBS) National Institute of Standards and Technology, based in Washington, DCNSW New South Wales, AustraliaOECD Organisation for Economic Cooperation and DevelopmentOSF Open Software FoundationPCIE President’s Council on Integrity and EfficiencySPICE Software Process Improvement and Capability Determination—a standard on software process

improvementTCSEC Trusted Computer System Evaluation Criteria, also known as The Orange Book: security evaluation

criteria for computer systems as originally defined by the US Department of Defense. See also ITSEC,the European equivalent.

TickIT Guide to Software Quality Management System Construction and Certification

GLOSSARY OF TERMS

Appendix IV

CONTROL OBJECTIVES


Costing Procedures DS 6.2 105Counterparty Trust DS 5.13 102Critical IT Resources DS 4.10 98Cross-Training or Staff Back-up PO 7.5 51Cryptographic Key Management DS 5.18 103Customer Query Escalation DS 8.3 109Data and System Ownership PO 4.8 42Data Classification DS 5.8 102Data Classification Scheme PO 2.3 37Data Conversion AI 5.5 83Data Input Authorisation Procedures DS 11.6 115Data Input Error Handling DS 11.8 115Data Preparation Procedures DS 11.1 115Data Processing Error Handling DS 11.11 116Data Processing Integrity DS 11.9 115Data Processing Validation and Editing DS 11.10 115Definition of Information Requirements AI 1.1 71Definition of Interfaces AI 2.8 75Departures from Standard Job Schedules DS 13.4 123Design Approval AI 2.3 75Design Methods AI 2.1 75Distribution of Software AI 6.8 87Documentation and Procedures AI 6.5 87Economic Feasibility Study AI 1.6 71Electronic Commerce PO 8.5 55Electronic Transaction Integrity DS 11.29 118Emergency and Temporary Access Authorisations DS 10.4 113Emergency Changes AI 6.4 87Emergency Processing Priorities DS 10.5 113Employee Job Performance Evaluation PO 7.7 51Ergonomics AI 1.11 72Evaluation of Meeting User Requirements AI 5.13 84External Requirements Review PO 8.1 55File Requirements Definition and Documentation AI 2.4 75Final Acceptance Test AI 5.9 84Firewall Architectures and Connections with

Public Networks DS 5.20 103Follow-up Activities M 4.8 134Formal Project Risk Management PO 10.10 62Formulation of Acquisition Strategy AI 1.3 71Formulation of Alternative Courses of Action AI 1.2 71General Quality Plan PO 11.1 65Hardware and Software Acquisition Plans PO 3.4 39Help Desk DS 8.1 109Identification of Training Needs DS 7.1 107Identification, Authentication and Access DS 5.2 101Impact Assessment AI 6.2 87Implementation Plan AI 5.3 83Incident Handling DS 5.11 102Independence M 4.2 133Independent Assurance of Compliance with Laws

and Regulatory Requirements and Contractual Commitments M 3.5 131

Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments by Third-Party Service Providers M 3.6 131

Acceptance of Facilities AI 1.17 73Acceptance of Technology AI 1.18 73Accuracy, Completeness and Authorisation Checks DS 11.7 115Acquisition and Maintenance Framework

for the Technology Infrastructure PO 11.9 66Annual IT Operating Budget PO 5.1 45Application Software Performance Sizing AI 5.2 83Application Software Testing AI 2.15 76Archiving DS 11.26 117Aspects of Service Level Agreements DS 1.2 91Assessing Customer Satisfaction M 1.3 127Assessing Performance M 1.2 127Assessment of Existing Systems PO 1.8 34Assessment of New Hardware and Software AI 3.1 79Audit Charter M 4.1 133Audit Trails Design AI 1.10 72Authentication and Integrity DS 11.28 117Authorised Maintenance AI 6.6 87Availability and Performance Requirements DS 3.1 95Availability as a Key Design Factor AI 2.13 76Availability Plan DS 3.2 95Back-up and Restoration DS 11.23 117Back-up Jobs DS 11.24 117Back-up Site and Hardware DS 4.11 98Back-up Storage DS 11.25 117Business Risk Assessment PO 9.1 57Capacity Management of Resources DS 3.7 95Central Identification and Access Rights

Management DS 5.9 102Change Request Initiation and Control AI 6.1 87Chargeable Items DS 1.6 91Chargeable Items DS 6.1 105Collecting Monitoring Data M 1.1 105Communication of IT Plans PO 1.6 34Communication of IT Security Awareness PO 6.11 48Communication of Organisation Policies PO 6.3 47Competence M 4.4 133Competence of Independent Assurance Function M 3.7 131Compliance with Insurance Contracts PO 8.6 55Compliance with Polices, Procedures and Standards PO 6.6 47Configuration Baseline DS 9.2 111Configuration Control DS 9.4 111Configuration Management Procedures DS 9.7 111Configuration Recording DS 9.1 111Continued Integrity of Stored Data DS 11.30 118Continuity of Services DS 2.6 93Contract Application Programming AI 1.16 72Contracted Staff Policies and Procedures PO 4.14 42Control of Changes AI 6.3 87Controllability AI 2.12 76Coordination and Communication PO 11.8 65Corporate Data Dictionary and Data Syntax Rules PO 2.2 37Cost and Benefit Justification PO 5.3 45Cost and Benefit Monitoring PO 5.2 45Cost-Effective Security Controls AI 1.9 72

INDEXDom. Cntl. Pg. Dom. Cntl. Pg.


Independent Effectiveness Evaluation of IT Services M 3.3 131Independent Effectiveness of Third-Party Service

Providers M 3.4 131Independent Security and Internal Control

Certification/Accreditation of IT Services M 3.1 131Independent Security and Internal Control

Certification/Accreditation of Third-Party Service Providers M 3.2 131

Information Architecture AI 1.7 71Information Architecture Model PO 2.1 37Input Requirements Definition and Documentation AI 2.7 75Intellectual Property Rights PO 6.9 48Internal Control Level Reporting M 2.3 129Internal Control Monitoring M 2.1 129Issue-Specific Policies PO 6.10 48IT as Part of the Organisation’s Long- and

Short-Range Plan PO 1.1 33IT Continuity Framework DS 4.1 97IT Continuity Plan Contents DS 4.3 97IT Continuity Plan Distribution DS 4.8 98IT Continuity Plan Strategy and Philosophy DS 4.2 97IT Continuity Plan Training DS 4.7 97IT Integrity Provisions in Application Programme

Software AI 2.14 76IT Long-Range Plan PO 1.2 33IT Long-Range Plan Changes PO 1.4 33IT Long-Range Planning — Approach and Structure PO 1.3 33IT Planning or Steering Committee PO 4.1 41IT Staffing PO 4.11 42Job Change and Termination PO 7.8 51Job or Position Descriptions for IT Staff PO 4.12 42Job Scheduling DS 13.3 123Key IT Personnel PO 4.13 42Low Profile of the IT Site DS 12.2 121Maintaining the IT Continuity Plan DS 4.5 97Maintenance of Policies PO 6.5 47Major Changes to Existing Systems AI 2.2 75Malicious Software Prevention,

Detection and Correction DS 5.19 103Manage Security Measures DS 5.1 101Management Reporting M 1.4 127Management Review of User Accounts DS 5.5 101Management’s Post-Implementation Review AI 5.14 84Management’s Responsibility for Policies PO 6.2 47Media Library Management Responsibilities DS 11.22 117Media Library Management System DS 11.21 117Minimising IT Continuity Requirements DS 4.4 97Modeling Tools DS 3.4 95Monitor Future Trends and Regulations PO 3.2 39Monitoring and Evaluating of IT Plans PO 1.7 34Monitoring DS 2.8 93Monitoring and Reporting DS 1.4 91Monitoring and Reporting DS 3.3 95Monitoring of Clearance DS 8.4 109Non-Repudiation DS 5.15 103

INDEX

Off-site Back-up Storage DS 4.12 98Operational Requirements and Service Levels AI 4.1 81Operational Security and Internal Control Assurance M 2.4 129Operational Test AI 5.11 84Operations Logs DS 13.6 123Operations Manual AI 4.3 81Organisational Placement of the IT Function PO 4.2 41Output Balancing and Reconciliation DS 11.14 116Output Distribution DS 11.13 116Output Handling and Retention DS 11.12 116Output Requirements Definition and Documentation AI 2.11 76Output Review and Error Handling DS 11.15 116Outsourcing Contracts DS 2.5 93Owner Relationships DS 2.2 93Ownership and Custodianship PO 4.7 41Parallel/Pilot Testing Criteria and Performance AI 5.8 83Parallel/Pilot Testing PO 11.14 66Performance of Audit Work M 4.6 133Performance Procedures DS 1.3 91Personnel Clearance Procedures PO 7.6 51Personnel Health and Safety DS 12.4 121Personnel Qualifications PO 7.2 51Personnel Recruitment and Promotion PO 7.1 51Personnel Training PO 7.4 51Physical Security DS 12.1 121Planning M 4.5 133Planning of Assurance Methods PO 10.9 61Policy Implementation Resources PO 6.4 47Positive Information Control Environment PO 6.1 47Post-Implementation Review Plan PO 10.13 62Practices and Procedures for Complying

with External Requirements PO 8.2 55Preventative Maintenance for Hardware AI 3.2 79Privacy, Intellectual Property and Data Flow PO 8.4 55Proactive Audit Involvement M 3.8 131Proactive Performance Management DS 3.5 95Problem Escalation DS 10.2 113Problem Management System DS 10.1 113Problem Tracking and Audit Trail DS 10.3 113Processing Continuity DS 13.5 123Processing Operations Procedures and

Instructions Manual DS 13.1 123Processing Requirements Definition and

Documentation AI 2.10 76Procurement Control AI 1.13 72Professional Ethics and Standards M 4.3 133Programme Documentation Standards PO 11.11 66Programme Specifications AI 2.5 75Programme Testing Standards PO 11.12 66Project Approval PO 10.5 61Project Definition PO 10.4 61Project Management Framework PO 10.1 61Project Master Plan PO 10.7 61Project Phase Approval PO 10.6 61Project Team Membership and Responsibilities PO 10.3 61

Dom. Cntl. Pg.Dom. Cntl. Pg.

CONTROL OBJECTIVES


Promotion to Production AI 5.12 84Protection Against Environmental Factors DS 12.5 121Protection of Disposed Sensitive Information DS 11.18 116Protection of Electronic Value DS 5.21 103Protection of Security Functions DS 5.17 103Protection of Sensitive Information During

Transmission and Transport DS 11.17 116Protection of Sensitive Messages DS 11.27 117Quality Assurance Approach PO 11.2 65Quality Assurance Evaluation of Adherence to

Development Standards PO 11.16 67Quality Assurance Planning PO 11.3 65Quality Assurance Review of Adherence to

IT Standards and Procedures PO 11.4 65Quality Assurance Review of the Achievement

of IT Objectives PO 11.17 67Quality Commitment PO 6.7 47Quality Metrics PO 11.18 67Reaccreditation DS 5.12 102Reassessment of System Design AI 2.17 77Registration of Customer Queries DS 8.2 109Relationships PO 4.15 42Remote Operations DS 13.8 123Reporting M 4.7 134Reports of Quality Assurance Reviews PO 11.19 67Resources Availability DS 3.8 95Resources Schedule DS 3.9 95Responsibility for Logical and Physical Security PO 4.6 41Responsibility for Quality Assurance PO 4.5 41Retention Periods and Storage Terms DS 11.20 116Review of Organisational Achievements PO 4.3 41Review of Service Level Agreements and Contracts DS 1.5 91Risk Acceptance PO 9.6 57Risk Action Plan PO 9.5 57Risk Analysis Report AI 1.8 71Risk Assessment Approach PO 9.2 57Risk Assessment Commitment PO 9.8 58Risk Identification PO 9.3 57Risk Measurement PO 9.4 57Roles and Responsibilities PO 4.4 41Roles and Responsibilities PO 7.3 51Safeguard Selection PO 9.7 58Safeguard Special Forms and Output Devices DS 13.7 123Safety and Ergonomic Compliance PO 8.3 55Security and Internal Control Framework Policy PO 6.8 48Security Levels PO 2.4 37Security of Online Access to Data DS 5.3 101Security Principles and Awareness Training DS 7.3 107Security Provision for Output Reports DS 11.16 116Security Relationships DS 2.7 93Security Surveillance DS 5.7 101Security Testing and Accreditation AI 5.10 84Segregation of Duties PO 4.10 42Selection of System Software AI 1.12 72Service Improvement Programme DS 1.7 91

Service Level Agreement Framework DS 1.1 91Short-Range Planning for the IT Function PO 1.5 33Software Accountability DS 9.8 111Software Conversion AI 5.4 83Software Product Acquisition AI 1.14 72Software Release Policy AI 6.7 87Software Storage DS 9.6 111Source Data Collection Design AI 2.6 75Source Document Authorisation Procedures DS 11.2 115Source Document Data Collection DS 11.3 115Source Document Error Handling DS 11.4 115Source Document Retention DS 11.5 115Startup Process and Other Operations

Documentation DS 13.2 123Status Accounting DS 9.3 111Storage Management DS 11.19 116Supervision PO 4.9 42Supplier Interfaces DS 2.1 93System Conversion AI 5.4 83System Development Life Cycle Methodology PO 11.5 65System Development Life Cycle Methodology

for Major Changes to Existing Technology PO 11.6 65System Quality Assurance Plan PO 10.8 61System Software Change Controls AI 3.6 79System Software Installation AI 3.4 79System Software Maintenance AI 3.5 79System Software Security AI 3.3 79System Testing Documentation PO 11.15 66System Testing Standards PO 11.13 66Technological Feasibility Study AI 1.5 71Technological Infrastructure Contingency PO 3.3 39Technological Infrastructure Planning PO 3.1 39Technology Standards PO 3.5 39Test Plan PO 10.11 62Testing of Changes AI 5.7 83Testing Strategies and Plans AI 5.6 83Testing the IT Continuity Plan DS 4.6 97Third-Party Contracts DS 2.3 93Third-Party Implementor Relationships PO 11.10 66Third-Party Qualifications DS 2.4 93Third-Party Service Requirements AI 1.4 71Third-Party Software Maintenance AI 1.15 72Timely Operation of Internal Controls M 2.2 129Training AI 5.1 83Training Materials AI 4.4 81Training Organisation DS 7.2 107Training Plan PO 10.12 62Transaction Authorisation DS 5.14 102Trend Analysis and Reporting DS 8.5 109Trusted Path DS 5.16 103Unauthorised Software DS 9.5 111Uninterruptible Power Supply DS 12.6 121Updating of the System Development Life Cycle

Methodology PO 11.7 65Use and Monitoring of System Utilities AI 3.7 79

Dom. Cntl. Pg.Dom. Cntl. Pg.

INDEX


User Account Management DS 5.4 101User Billing and Chargeback Procedures DS 6.3 105User Control of User Accounts DS 5.6 101User Department Alternative Processing Back-up

Procedures DS 4.9 98User Department Participation in Project Initiation PO 10.2 61User Procedures Manual AI 4.2 81User Reference and Support Materials AI 2.16 76User-Machine Interface AI 2.9 75Violation and Security Activity Reports DS 5.10 102Visitor Escort DS 12.3 121Workload Forecasting DS 3.6 95Wrap-up Procedures DS 4.13 98

INDEXDom. Cntl. Pg.Dom. Cntl. Pg.

TELEPHONE: +1.847.253.1545 E-MAIL: [email protected]: +1.847.253.1443 WEB SITES: www.ITgovernance.org

www.isaca.org

3701 ALGONQUIN ROAD, SUITE 1010ROLLING MEADOWS, ILLINOIS 60008, USA

TELL US WHAT YOU THINK ABOUT COBITWe are interested in knowing your reaction to COBIT: Control Objectives for Information andrelated Technology. Please provide your comments below. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Name _______________________________________________________________________Company ____________________________________________________________________Address _____________________________________________________________________City _______________________________ State/Province ____________________________Country ____________________________ ZIP/Postal Code ___________________________FAX Number _________________________________________________________________E-mail Address________________________________________________________________

■■ I am interested in learning more about how COBIT can be used in my organisation. Please ask a representative to contact me.

■■ Please send me more information about:■■ Purchasing other COBIT products■■ COBIT Training Courses (in-house or general session)■■ Certified Information Systems AuditorTM (CISA®) Certification■■ Information Systems Control Journal■■ Information Systems Audit and Control Association (ISACA)

Thank you!

All respondents will be acknowledged.

cobit regulations

Documents