CobiT-4.1 Research. Краткое содержание стандарта по аудиту информационных систем
Подождите немного. Документ загружается.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Plan and Organise
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Acquire and Implement
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
Deliver and Support
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Monitor and Evaluate
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
Respond to business requirements in
alignment with the business strategy.
Respond to governance requirements in
line with board direction.
Ensure satisfact
ion of end users with
service offerings and service levels.
Optimise use of information.
Create IT agility.
Define how business functional and control requirements
are translated in effective and efficient automated solutions.
Acquire and maintain integrated and
standardised application systems.
Acquire and
maintain an integrated and
standardised IT infrastructure.
Acqu
ire and
maintain IT skills that
respond to the IT strategy.
Ensure mutual satisfaction of third-party relationships.
E
ns
ure seamless int
egra
tation of applications
into business processes.
Ensure transparency and understanding of IT cost,
benefits,
strategy, policies and service levels.
Ensure proper use and performance of the a
pplications
and technology solutions.
Account for and protect all IT assets.
Optimise the IT infrastructure, resources and
capabilities.
Reduce solution and serv
ice deli
very defects and rework.
Prot
ect the achievement of IT objectives.
Establish clarity on the business impact of risks
to IT objectives and resources.
Ensure that critical and confidential information is withheld
from those who should not ha
ve access to it.
Ensure that automated business transactions and
information exchanges can be trusted.
Ensure that IT services and infrastructure can properly resist and
recover from failures due to error, deliberate attack or disaster.
Ensure minimum business impact in the event of an
IT service disruption or change.
Make sure that IT services are available as required.
Improve IT's cost-efficiency and its
contribution to business profitability.
Deliver projects on time and on budget,
meeting quality standards.
Maintain the integrity of information and
processing infrastructure.
Ensure IT compliance wi
t
h
la
w
s
,
reg
u
la
t
ions and
c
on
t
racts
.
Ensure t
h
a
t
IT dem
ons
t
rat
es
c
os
t
-
e
ffic
ien
t
ser
v
ic
e
qu
ali
t
y,
con
t
in
u
ou
s i
mp
r
ov
e
m
ent
and readiness f
or
f
utu
re c
h
ange.
APPENDIX I
C
OBIT 4.1
A PPENDIX II
M
APPING IT PROCESSES TO IT GOVERNANCE
F OCUS A REAS, COSO,
C
OBIT IT RESOURCES AND
C OBIT INFORMATION C RITERIA
This appendix provides a mapping between the COBIT IT processes and the five
IT governance focus areas, the components of COSO, IT resources and the
information criteria. The table also provides a relative importance indicator
(high, medium and low) based on benchmarking via COBIT Online. This matrix
demonstrates on one page and at a high level how the COBIT framework
addresses IT governance and COSO requirements, and shows the relationship
between IT processes and the IT resources and information criteria. P is used
when there is a primary relation and S when there is only a secondary relation.
No P or S does not mean that there is no relation, only that it is less
important, or marginal. The importance values are based on a survey and the
opinions of experts, and are provided only as a guide. Users should consider
what processes are important within their own organisations.
APPENDIX II
M
APPING
IT GOVERNANCE I NSTITUTE
PO1 Define a strategic IT plan. H P S S P S S P S
PO2 Define the information architecture. L P S P S P P S P S P
PO3 Determine technological direction. M S S P S S P S P P
PO4 Define the IT processes, organisation and relationships. L S P P P S S P P
PO5 Manage the IT investment. M S P S S S P P P S
PO6 Communicate management aims and direction. M P P P P P S
PO7 Manage IT human resources. L P P S S P S P P
PO8 Manage quality. M P S S P P S P P P S S
PO9 Assess and manage IT risks. H P P P S S P P P S S
PO10 Manage projects. H P S S S S S S P S P P
DS1 Define and manage service levels. M P P P P S P S S P P S S S S S
DS2 Manage third-party services. L P S P S P S P S P P S S S S S
DS3 Manage performance and capacity. L S S P S S P S P P S
DS4 Ensure continuous service. M S P S P S S P S P S P
DS5 Ensure systems security. H P P S S P P S S S
DS6 Identify and allocate costs. L S P S P P P
DS7 Educate and train users. L S P S S P S P S
DS8 Manage service desk and incidents. L P S S P P P P
DS9 Manage the configuration. M P P S P P S S S
DS10 Manage problems. M P S S P S S P P S
DS11 Manage data. H P P P P P P
DS12 Manage the physical environment. L S P S P P P
DS13 Manage operations. L P P S P P S S
AI1 Identify automated solutions. M P P S S P P S
AI2 Acquire and maintain application software. M P P S P P P S S
AI3 Acquire and maintain technology infrastructure. L P P S P S S
AI4 Enable operation and use. L S P S S P S P P S S S S
AI5 Procure IT resources. M S P P S P S
AI6 Manage changes. H P S S P S P P P P S
AI7 Install and accredit solutions and changes. M S P S S S P S S P S S S
ME1 Monitor and evaluate IT performance. H S S S S P S P P P S S S S S
ME2 Monitor and evaluate internal control. M P P P P P S S S S S
ME3 Ensure compliance with external requirements. H P P P S S P S
ME4 Provide IT governance. H P P P P P P S S P P P S S S S S
Strategic
Alignm
ent
IM
PORTANCE
Value
Delivery
Resource
M
anagement
Risk
M
anagement
Performance
M
easurem
ent
IT Governance Focus Areas
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Com
pliance
Reliability
COBIT Information Criteria
Control
Environm
ent
Risk
Assessm
ent
Control
Activities
Inform
ation and
Com
m
unicati
on
M
onitoring
COSO
Application
Inform
ation
Infrastructure
People
COBIT IT Resources
Plan and Organise
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Note: The COSO mapping is based on the original COSO framework. The mapping also applies generally to the later COSO Enterprise Risk Management—Integrated Framework, which
expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. Whilst it is not intended to and does not replace the
original COSO internal control framework, but rather incorporates the internal control framework within it, users of C
OBIT may choose to refer to this enterprise risk management
framework both to satisfy their internal control needs and to move toward a fuller risk management process.
APPENDIX II
APPENDIX II—MAPPING IT PROCESSES TO IT GOVERNANCE
FOCUS AREAS, COSO, COBIT IT RESOURCES
AND
COBIT INFORMATION CRITERIA
173
A PPENDIX III
M
ATURITY M ODEL FOR I NTERNAL C ONTROL
This appendix provides a generic maturity model showing the status of the
internal control environment and the establishment of internal controls in an
enterprise. It shows how the management of internal control, and an aware-
ness of the need to establish better internal controls, typically develops from
an
ad hoc
to an optimised level. The model provides a high-level guide to help
COBIT users appreciate what is required for effective internal controls in IT and
to help position their enterprise on the maturity scale.
APPENDIX III
CONTROL MATURITY
© 2007 IT Governance Institute. All rights reserved. www.itgi.org
175
APPENDIX III
Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal There is no intent to assess the need for internal control.
control. Control is not part of the organisation’s Incidents are dealt with as they arise.
culture or mission. There is a high risk of control
deficiencies and incidents.
1 Initial/ad hoc There is some recognition of the need for internal There is no awareness of the need for assessment of what is
control. The approach to risk and control needed in terms of IT controls. When performed, it is only on an
requirements is ad hoc and disorganised, without ad hoc basis, at a high level and in reaction to significant
communication or monitoring. Deficiencies are not incidents. Assessment addresses only the actual incident.
identified. Employees are not aware of their
responsibilities.
2 Repeatable but Controls are in place but are not documented. Their Assessment of control needs occurs only when needed for
intuitive operation is dependent on knowledge and motivation selected IT processes to determine the current level of control
of individuals. Effectiveness is not adequately maturity, the target level that should be reached and the gaps
evaluated. Many control weaknesses exist and are that exist. An informal workshop approach, involving IT
not adequately addressed; the impact can be severe. managers and the team involved in the process, is used to
Management actions to resolve control issues are define an adequate approach to controls for the process and to
not prioritised or consistent. Employees may not be motivate an agreed-upon action plan.
aware of their responsibilities.
3 Defined Controls are in place and are adequately documented. Critical IT processes are identified based on value and risk drivers.
Operating effectiveness is evaluated on a periodic A detailed analysis is performed to identify control requirements
basis and there is an average number of issues. and the root cause of gaps and to develop improvement
However, the evaluation process is not documented. opportunities. In addition to facilitated workshops, tools are used
Whilst management is able to deal predictably with and interviews are performed to support the analysis and ensure
most control issues, some control weaknesses that an IT process owner owns and drives the assessment and
persist and impacts could still be severe. Employees improvement process.
are aware of their responsibilties for control.
4 Managed and There is an effective internal control and risk IT process criticality is regularly defined with full support and
measurable management environment. A formal, documented agreement from the relevant business process owners.
evaluation of controls occurs frequently. Many Assessment of control requirements is based on policy and the
controls are automated and regularly reviewed. actual maturity of these processes, following a thorough and
Management is likely to detect most control issues, measured analysis involving key stakeholders. Accountability for
but not all issues are routinely identified. There is these assessments is clear and enforced. Improvement
consistent follow-up to address identified control strategies are supported by business cases. Performance in
weaknesses. A limited, tactical use of technology is achieving the desired outcomes is consistently monitored.
applied to automate controls. External control reviews are organised occasionally.
5 Optimised An enterprisewide risk and control programme Business changes consider the criticality of IT processes, and
provides continuous and effective control and risk cover any need to reassess process control capability. IT process
issues resolution. Internal control and risk owners regularly perform self-assessments to confirm that
management are integrated with enterprise controls are at the right level of maturity to meet business needs
practices, supported with automated real-time and they consider maturity attributes to find ways to make
monitoring with full accountability for control controls more efficient and effective. The organisation
monitoring, risk management and compliance benchmarks to external good practices and seeks external
enforcement. Control evaluation is continuous, advice on internal control effectiveness. For critical processes,
based on self-assessments and gap and root independent reviews take place to provide assurance that the
cause analyses. Employees are proactively involved controls are at the desired level of maturity and working as
in control improvements. planned.
APPENDIX III—MATURITY MODEL FOR INTERNAL CONTROL
© 2007 IT Governance Institute. All rights reserved. www.itgi.org
176
COBIT 4.1
Page intentionally left blank
A PPENDIX IV
C
OBIT 4.1 PRIMARY R EFERENCE M ATERIAL
APPENDIX IV
REFERENCE
MATERIAL
© 2007 IT Governance Institute. All rights reserved. www.itgi.org
177
APPENDIX IV—COBIT 4.1 PRIMARY REFERENCE MATERIAL
For the earlier COBIT development and updating activities, a broad base of more than 40 international detailed IT standards,
frameworks, guidelines and good practices was used to ensure the completeness of C
OBIT in addressing all areas of IT governance
and control.
Because C
OBIT is focused on what is required to achieve adequate management and control of IT, it is positioned at a high level.
The more detailed IT standards and good practices are at a lower level of detail describing how to manage and control specific
aspects of IT. C
OBIT acts as an integrator of these different guidance materials, summarising key objectives under one umbrella
framework that also links to governance and business requirements.
For this C
OBIT update (COBIT 4.1), six of the major global IT-related standards, frameworks and practices were focused on as the
major supporting references to ensure appropriate coverage, consistency and alignment. These are:
• COSO:
Internal Control—Integrated Framework, 1994
Enterprise Risk Management—Integrated Framework, 2004
• Office of Government Commerce (OGC
®
):
IT Infrastructure Library
®
(ITIL
®
), 1999-2004
• International Organisation for Standardisation:
ISO/IEC 27000
• Software Engineering Institute (SEI
®
):
SEI Capability Maturity Model (CMM
®
), 1993
SEI Capability Maturity Model Integration (CMMI
®
), 2000
• Project Management Institute (PMI
®
):
A Guide to the Project Management Body of Knowledge (PMBOK
®
), 2004
• Information Security Forum (ISF):
The Standard of Good Practice for Information Security, 2003
Additional references used in the development of C
OBIT 4.1 include:
• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial
Reporting, 2
nd
Edition, IT Governance Institute, USA, 2006
• CISA Review Manual, ISACA, 2006
APPENDIX IV
© 2007 IT Governance Institute. All rights reserved. www.itgi.org
178
COBIT 4.1
Page intentionally left blank
A PPENDIX V
C
ROSS- REFERENCES B ETWEEN
C OBIT 3
RD
E DITION AND C OBIT 4.1
APPENDIX V
CROSS-REFERENCES