business , compliances , security

IT Auditing Cobit Mapping

February 26, 2010

Linkage to COBIT

COBIT Framework states, “It is management’s responsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management should establish an adequate system of internal control.”

COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self assessment specifically focused on:

· Performance measurement – How well is the IT function supporting business requirements?

· IT control profiling – What IT processes are important?

o   What are the critical success factors for control?

· Awareness – What are the risks of not achieving the objectives?

· Benchmarking – What do others do?

o   How can results be measured and compared?

COBIT Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.

COBIT Management Guidelines can be used to support self-assessment workshops and can also be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.

COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT information criteria.

The COBIT references located in the appendix of this document outline the specific objectives or processes of COBIT that should be considered when reviewing the area addressed by this guidance.

Need for Procedure

Primarily intended for IT auditors—internal as well as external auditors—this document can be used by other ARE security professionals with responsibilities in capacity of information security.

Modern businesses are organized as a set of core processes operating within supply and demand networks. Almost every organization in the world is faced with increasing pressure for effectiveness and efficiency (i.e., higher quality requirements for products and services, increased revenue, cost reduction, new product development), a pressure for better, faster and cheaper processes. These increasingly complex operating networks are supported by available communication technologies (mainly the Internet), allowing businesses to focus on their core competencies and partner with others to deliver enhanced value to customers; thereby, complexity introduces multiple avenues of threats and vulnerabilities.

The transformation of the old processes is enabled by new communication channels. These channels provide new linking possibilities among different systems and networks, making them available to more people and letting the organizations and their processes interact (e.g., e-procurement and e-sourcing).

This document provides guidance for IT auditors who are required increasingly to audit or review perimeter and internal controls to provide reasonable assurance that all external and internal threats, including potential system compromises, are minimized by identification and correction of vulnerabilities detected in performing a penetration test and vulnerability assessment.

This procedure is not a substitute for an internal audit including an organization wide risk assessment and internal general controls and application audits of all critical infrastructures and applications, including those with financial statement implications. Weaknesses in a noncritical infrastructure and applications component could have a consequential impact on a critical infrastructure and application components; therefore, a system wide audit should be completed in its totality and not in a piece-meal fashion.

COBIT Reference

Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT information criteria:

·      PO6—Communicate Management Aims and Direction

·      PO9—Assess Risks

·      A13—Acquire and Maintain Technology Infrastructure

·      DS5—Ensure Systems Security

·      DS7—Educate and Train Users

·      DS10—Manage Problems and Incidents

The information criteria most relevant to a penetration testing and vulnerability assessment are:

·      Primary: confidentiality, integrity and availability

·      Secondary: efficiency and reliability

www.bestitdocuments.com