COBIT 3rd Edition ® Framework July 2000 Released by the COBIT Steering Committee and the IT Governance InstituteTM The COBIT Mission: To research, develop, publicise and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.

AMERICAN SAMOA ARGENTINA ARMENIA AUSTRALIA AUSTRIA BAHAMAS BAHRAIN BANGLADESH BARBADOS BELGIUM BERMUDA BOLIVIA BOTSWANA BRAZIL BRITISH VIRGIN ISLANDS CANADA CAYMAN ISLANDS CHILE CHINA COLOMBIA COSTA RICA CROATIA CURACAO CYPRUS CZECH REPUBLIC DENMARK DOMINICAN REPUBLIC ECUADOR EGYPT EL SALVADOR ESTONIA FAEROE ISLANDS FIJI FINLAND FRANCE GERMANY GHANA GREECE GUAM GUATEMALA HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAN IRELAND ISRAEL ITALY IVORY COAST JAMAICA JAPAN JORDAN KAZAKHSTAN KENYA KOREA KUWAIT

INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION A Single International Source for Information Technology Controls The Information Systems Audit and Control Association is a leading global professional organisation representing individuals in more than 100 countries and comprising all levels of IT — executive, management, middle management and practitioner. The Association is uniquely positioned to fulfil the role of a central, harmonising source of IT control practice standards for the world over.

Its strategic alliances with other groups in the financial, accounting, auditing and IT professions are ensuring an unparalleled level of integration and commitment by business process owners. The Information Systems Audit and Control Association was formed in 1969 to meet the unique, diverse and high technology needs of the burgeoning IT • Its professional education programme offers technical and management conferences on five continents, as well as seminars worldwide to help professionals everywhere receive highquality continuing education. Its technical publishing area provides references and professional development materials to augment its distinguished selection of programmes and services. LATVIA LEBANON LIECHTENSTEIN LITHUANIA LUXEMBURG MALAYSIA MALTA MALAWI MAURITIUS MEXICO NAMIBIA NEPAL NETHERLANDS NEW GUINEA NEW ZEALAND NICARAGUA NIGERIA NORWAY OMAN PAKISTAN PANAMA PARAGUAY PERU PHILIPPINES POLAND PORTUGAL QATAR RUSSIA SAUDI ARABIA SCOTLAND SEYCHELLES SINGAPORE SLOVAK REPUBLIC SLOVENIA SOUTH AFRICA SPAIN SRI LANKA ST. KITTS ST.

LUCIA SWEDEN SWITZERLAND TAIWAN TANZANIA TASMANIA THAILAND TRINIDAD & TOBAGO TUNISIA TURKEY UGANDA UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES URUGUAY VENEZUELA VIETNAM WALES YUGOSLAVIA ZAMBIA ZIMBABWE Association Programmes and Services The Association’s services and programmes have earned distinction by establishing the highest levels of excellence in certification, standards, professional education and technical publishing. • Its certification programme (the Certified Information Systems Auditor ) is the TM field.

In an industry in which progress is measured in nano-seconds, ISACA has moved with agility and speed to bridge the needs of the international business community and the IT controls profession. For More Information To receive additional information, you may telephone (+1. 847. 253. 1545), send an e-mail (research@isaca. org) or visit these web sites: www. ITgovernance. org www. isaca. org only global designation throughout the IT audit and control community. • Its standards activities establish the quality baseline by which other IT audit and control activities are measured.

FRAMEWORK TABLE OF CONTENTS Acknowledgments Executive Overview The COBIT Framework The Framework’s Principles COBIT History and Background High-Level Control Objectives—Summary Table Framework Navigation Overview High-Level Control Objectives Appendix I IT Governance Management Guideline ………… 61-64 Appendix II COBIT Project Description……………………………….. 65 Appendix III COBIT Primary Reference Material………………. 66-67 Appendix IV Glossary of Terms ………………………………………………. 8 4 5-7 8-12 13-17 18-19 20 21-22 23-57 Disclaimer The Information Systems Audit and Control Foundation, IT Governance Institute and the sponsors of COBIT: Control Objectives for Information and related Technology have designed and created the publications entitled Executive Summary, Framework, Control Objectives, Management Guidelines, Audit Guidelines and Implementation Tool Set (collectively, the “Works”) primarily as an educational resource for controls professionals. The Information Systems Audit and Control Foundation, IT Governance Institute and the sponsors make no claim that use of any of the Works will assure a successful outcome.

The Works should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his or her own professional judgment to the specific control circumstances presented by the particular systems or IT environment. Disclosure and Copyright Notice Copyright © 1996, 1998, 2000 by the Information Systems Audit and Control Foundation (ISACF). Reproduction for commercial purpose is not permitted without ISACF’s prior written permission.

Permission is hereby granted to use and copy the Executive Summary, Framework, Control Objectives, Management Guidelines and Implementation Tool Set for non-commercial, internal use, including storage in a retrieval system and transmission by any means including, electronic, mechanical, recording or otherwise. All copies of the Executive Summary, Framework, Control Objectives, Management Guidelines and Implementation Tool Set must include the following copyright notice and acknowledgment: “Copyright 1996, 1998, 2000 Information Systems Audit and Control Foundation.

Reprinted with the permission of the Information Systems Audit and Control Foundation and IT Governance Institute. ” The Audit Guidelines may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), except with ISACF’s prior written authorization; provided, however, that the Audit Guidelines may be used for internal non-commercial purposes only.

Except as stated herein, no other right or permission is granted with respect to this work. All rights in this work are reserved. Information Systems Audit and Control Foundation IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1. 847. 253. 1545 Fax: +1. 847. 253. 1443 E-mail: research@isaca. org Web sites: www. ITgovernance. org www. isaca. org ISBN ISBN 1-893209-14-8 (Framework) 1-893209-13-X (Complete 6 book set with CD-ROM) Printed in the United States of America.

IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 3 ACKNOWLEDGMENTS COBIT STEERING COMMITTEE Erik Guldentops, S. W. I. F. T. sc, Belgium John Lainhart, PricewaterhouseCoopers, USA Eddy Schuermans, PricewaterhouseCoopers, Belgium John Beveridge, State Auditor’s Office, Massachusetts, USA Michael Donahue, PricewaterhouseCoopers, USA Gary Hardy, Arthur Andersen, United Kingdom Ronald Saull, Great-West Life Assurance, London Life and Investors Group, Canada Mark Stanley, Sun America Inc. , USA

SPECIAL THANKS to the members of the Board of the Information Systems Audit and Control Association and Trustees of the Information Systems Audit and Control Foundation, headed by International President Paul Williams, for their continuing and unwavering support of COBIT. 4 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK EXECUTIVE OVERVIEW survival and success an Critically important to themanagementthis globalofinformaorganisation is effective of information and related Information Technology (IT).

In tion society—where information travels through cyberspace without the constraints of time, distance and speed—this criticality arises from the: • Increasing dependence on information and the systems that deliver this information • Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare • Scale and cost of the current and future investments in information and information systems • Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs For many organisations, information and the technology that supports it represent the organisation’s most valuable assets.

Moreover, in today’s very competitive and rapidly changing business environment, management has heightened expectations regarding IT delivery functions: management requires increased quality, functionality and ease of use; decreased delivery time; and continuously improving service levels— while demanding that this be accomplished at lower costs. Many organisations recognise the potential benefits that technology can yield. Successful organisations, however, understand and manage the risks associated with implementing new technologies. There are numerous changes in IT and its operating environment that emphasise the need to better manage IT-related risks.

Dependence on electronic information and IT systems is essential to support critical business processes. In addition, the regulatory environment is mandating stricter control over information. This, in turn, is driven by increasing disclosures of information system disasters and increasing electronic fraud. The management of IT-related risks is now being understood as a key part of enterprise governance. Within enterprise governance, IT governance is becoming more and more prominent, and is defined as a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. IT governance is integral to the success f enterprise governance by assuring efficient and effective measurable improvements in related enterprise processes. IT governance provides the structure that links IT processes, IT resources and information to enterprise strategies and objectives. Furthermore, IT governance integrates and institutionalises good (or best) practices of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance to ensure that the enterprise’s information and related technology support its business objectives. IT governance thus enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage.

IT GOVERNANCE A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. satisfy quality, and secuOrganisations must for theirthethe use offiduciaryall assets. rity requirements information, as for Management must also optimise available resources, including data, application systems, technology, facilities and people. To discharge these responsibilities, as well as to achieve its objectives, management must understand the status of its own IT systems and decide what security and control they should provide.

Control Objectives for Information and related Technology (COBIT), now in its 3rd edition, helps meet the multiple needs of management by bridging the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s “good practices” means consensus of the experts—they will help optimise information investments and will provide a measure to be judged against when things do go wrong. Management must ensure that an internal control system or framework is in place which supports the business processes, makes it clear how each individual control activity satisfies the information requirements and impacts the IT resources.

Impact on IT resources is highlighted in the COBIT Framework together with the business requirements for effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability of information that need to be satisfied. Control, which includes policies, organisational structures, practices and procedures, is management’s responsibility. Management, through its enterprise governance, must ensure that due diligence is exercised by all individuals involved in the management, use, design, development, maintenance or operation of information systems. An IT control objective is a statement of the desired result or purpose to be achieved by implementing control procedures within a particular IT activity. IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 5 usiness theme of C T.

It is Balso, andorientation is the mainonly by users andguidance designed to be employed not auditors, but more importantly, as comprehensive OBI for management and business process owners. Increasingly, business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. In particular, this includes providing adequate controls. The COBIT Framework provides a tool for the business process owner that facilitates the discharge of this responsibility. The Framework starts from a simple and pragmatic premise: In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.

The Framework continues with a set of 34 high-level Control Objectives, one for each of the IT processes, grouped into four domains: planning and organisation, acquisition and implementation, delivery and support, and monitoring. This structure covers all aspects of information and the technology that supports it. By addressing these 34 high-level control objectives, the business process owner can ensure that an adequate control system is provided for the IT environment. provided in the C T IT governanceITguidance is alsoand information to enterprise Framework. governance provides the structure that links IT processes, IT resources OBI Specifically, COBIT provides Maturity Models for control over IT processes, so that management can map where the organisation is today, where it stands in relation to the bestin-class in its industry and to international tandards and where the organisation wants to be; Critical Success Factors, which define the most important management-oriented implementation guidelines to achieve control over and within its IT processes; Key Goal Indicators, which define measures that tell management—after the fact—whether an IT process has achieved its business requirements; and Key Performance Indicators, which are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached. COBIT’s Management Guidelines are generic and action oriented for the purpose of answering the following types of management questions: How far should we go, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare?

COBIT also contains an Implementation Tool Set that provides lessons learned from those organisations that quickly and successfully applied COBIT in their work environments. It has two particularly useful tools—Management Awareness Diagnostic and IT Control Diagnostic—to assist in analysing an organisation’s IT control environment. Over the next few years, the management of organisations will need to demonstrably attain increased levels of security and control. COBIT is a tool that allows managers to bridge the gap with respect to control requirements, technical issues and business risks and communicate that level of control to stakeholders. COBIT enables the development of clear policy and good practice for IT control throughout organisations, worldwide.

Thus, COBIT is designed to be the breakthrough IT governance tool that helps in understanding and managing the risks and benefits associated with information and related IT. strategies and objectives. IT governance integrates optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. In addition, corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT processes against COBIT’s 318 recommended detailed control objectives to provide management assurance and/or advice for mprovement. he Management Guidelines, T’s recent develTopment, furthereffectively andCenablesmostand requireenhances enterprise management to deal more with the needs OBI ments of IT governance. The guidelines are action oriented and generic and provide management direction for getting the enterprise’s information and related processes under control, for monitoring achievement of organisational goals, for monitoring performance within each IT process and for benchmarking organisational achievement. 6 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK COBIT IT PROCESSES DEFINED WITHIN THE FOUR DOMAINS BUSINESS OBJECTIVES IT GOVERNANCE M1 M2 M3 M4 onitor the processes assess internal control adequacy obtain independent assurance provide for independent audit INFORMATION effectiveness efficiency confidentiality integrity availability compliance reliability PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 define a strategic IT plan define the information architecture determine the technological direction define the IT organisation and relationships manage the IT investment communicate management aims and direction manage human resources ensure compliance with external requirements assess risks manage projects manage quality MONITORING PLANNING & ORGANISATION IT RESOURCES people application systems technology facilities data DELIVERY & SUPPORT

DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 define and manage service levels manage third-party services manage performance and capacity ensure continuous service ensure systems security identify and allocate costs educate and train users assist and advise customers manage the configuration manage problems and incidents manage data manage facilities manage operations ACQUISITION & IMPLEMENTATION AI1 AI2 AI3 AI4 AI5 AI6 identify automated solutions acquire and maintain application software acquire and maintain technology infrastructure develop and maintain procedures install and accredit systems manage changes IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 7 THE COBIT FRAMEWORK THE NEED FOR CONTROL IN INFORMATION TECHNOLOGY In recent years, it has become increasingly evident that there is a need for a reference framework for security and control in IT.

Successful organisations require an appreciation for and a basic understanding of the risks and constraints of IT at all levels within the enterprise in order to achieve effective direction and adequate controls. MANAGEMENT has to decide what to reasonably invest for security and control in IT and how to balance risk and control investment in an often unpredictable IT environment. While information systems security and control help manage risks, they do not eliminate them. In addition, the exact level of risk can never be known since there is always some degree of uncertainty. Ultimately, management must decide on the level of risk it is willing to accept. Judging what level can be tolerated, particularly when weighted against the cost, can be a difficult management decision.

Therefore, management clearly needs a framework of generally accepted IT security and control practices to benchmark the existing and planned IT environment. There is an increasing need for USERS of IT services to be assured, through accreditation and audit of IT services provided by internal or third parties, that adequate security and control exists. At present, however, the implementation of good IT controls in information systems, be they commercial, non-profit or governmental, is hampered by confusion. The confusion arises from the different evaluation methods such as ITSEC, TCSEC, IS0 9000 evaluations, emerging COSO internal control evaluations, etc. As a result, users need a general foundation to be established as a first step.

Frequently, AUDITORS have taken the lead in such international standardisation efforts because they are continuously confronted with the need to substantiate their opinion on internal control to management. Without a framework, this is an exceedingly difficult task. Furthermore, auditors are increasingly being called on by management to proactively consult and advise on IT security and control-related matters. 8 THE BUSINESS ENVIRONMENT: COMPETITION, CHANGE AND COST Global competition is here. Organisations are restructuring to streamline operations and simultaneously take advantage of the advances in IT to improve their competitive position. Business re-engineering, right-sizing, outsourcing, empowerment, flattened organisations and distributed processing are all changes that impact the way that business and governmental organisations operate.

These changes are having, and will continue to have, profound implications for the management and operational control structures within organisations worldwide. Emphasis on attaining competitive advantage and costefficiency implies an ever-increasing reliance on technology as a major component in the strategy of most organisations. Automating organisational functions is, by its very nature, dictating the incorporation of more powerful control mechanisms into computers and networks, both hardware-based and software-based. Furthermore, the fundamental structural characteristics of these controls are evolving at the same rate and in the same “leap frog” manner as the underlying computing and networking technologies are evolving.

Within the framework of accelerated change, if managers, information systems specialists and auditors are indeed going to be able to effectively fulfil their roles, their skills must evolve as rapidly as the technology and the environment. One must understand the technology of controls involved and its changing nature if one is to exercise reasonable and prudent judgments in evaluating control practices found in typical business or governmental organisations. EMERGENCE OF ENTERPRISE AND IT GOVERNANCE To achieve success in this information economy, enterprise governance and IT governance can no longer be considered separate and distinct disciplines.

Effective enterprise governance focuses individual and group expertise and experience where it can be most productive, monitors and measures performance and provides assurance to critical issues. IT, long considered solely an IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK enabler of an enterprise’s strategy, must now be regarded as an integral part of that strategy. IT governance provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives. IT governance integrates and institutionalises optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance.

IT governance is integral to the success of enterprise governance by assuring efficient and effective measurable improvements in related enterprise processes. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. Looking at the interplay of enterprise and IT governance processes in more detail, enterprise governance, the system by which entities are directed and controlled, drives and sets IT governance. At the same time, IT should provide critical input to, and constitute an important component of, strategic plans. IT may in fact influence strategic opportunities outlined by the enterprise. Enterprise Governance ligned with and enable the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining a competitive advantage. Enterprise Activities require information from Information Technology Activities Enterprises are governed by generally accepted good (or best) practices, to ensure that the enterprise is achieving its goals-the assurance of which is guaranteed by certain controls. From these objectives flows the organisation’s direction, which dictates certain enterprise activities, using the enterprise’s resources. The results of the enterprise activities are measured and reported on, providing input to the constant revision and maintenance of the controls, beginning the cycle again.

Enterprise Governance drives and sets Information Technology Governance DIRECT Objectives CONTROL Enterprise Activities Resources Enterprise activities require information from IT activities in order to meet business objectives. Successful organisations ensure interdependence between their strategic planning and their IT activities. IT must be USING REPORT IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 9 THE COBIT FRAMEWORK, continued IT also is governed by good (or best) practices, to ensure that the enterprise’s information and related technology support its business objectives, its resources are used responsibly and its risks are managed appropriately.

These practices form a basis for direction of IT activities, which can be characterised as planning and organising, acquiring and implementing, delivering and supporting, and monitoring, for the dual purposes of managing risks (to gain security, reliability and compliance) and realising benefits (increasing effectiveness and efficiency). Reports are issued on the outcomes of IT activities, which are measured against the various practices and controls, and the cycle begins again. IT Governance DIRECT Objectives • IT is aligned with the business, enables the business and maximises benefits • IT resources are used responsibly • IT related risks are managed appropriately PLAN DO CHECK CORRECT IT Activities Planning and Organisation Acquisition and Implementation Delivery and Support Monitoring CONTROL Manage risks • security • reliability • compliance Realise Benefits Increase Automation be effective Decrease Costs – be efficient REPORT

In order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. To accomplish this, management needs to identify the most important activities to be performed, measure progress towards achieving goals and determine how well the IT processes are performing. In addition, it needs the ability to evaluate the organisation’s maturity level against industry best practices and international standards. To support these management needs, the COBIT Management Guidelines have identified specific Critical Success Factors, Key Goal Indicators, Key Performance Indicators and an associated Maturity Model for IT governance, as presented in Appendix I. 10 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK

RESPONSE TO THE NEED In view of these ongoing changes, the development of this framework for control objectives for IT, along with continued applied research in IT controls based on this framework, are cornerstones for effective progress in the field of information and related technology controls. On the one hand, we have witnessed the development and publication of overall business control models like COSO (Committee of Sponsoring Organisations of the Treadway Commission-Internal Control—Integrated Framework, 1992) in the US, Cadbury in the UK, CoCo in Canada and King in South Africa. On the other hand, an important number of more focused control models are in existence at the level of IT.

Good examples of the latter category are the Security Code of Conduct from DTI (Department of Trade and Industry, UK), Information Technology Control Guidelines from CICA (Canadian Institute of Chartered Accountants, Canada), and the Security Handbook from NIST (National Institute of Standards and Technology, US). However, these focused control models do not provide a comprehensive and usable control model over IT in support of business processes. The purpose of COBIT is to bridge this gap by providing a foundation that is closely linked to business objectives while focusing on IT. (Most closely related to COBIT is the recently published AICPA/CICA SysTrustTM Principles and Criteria for Systems Reliability.

SysTrust is an authoritative issuance of both the Assurance Services Executive Committee in the United States and the Assurance Services Development Board in Canada, based in part on the COBIT Control Objectives. SysTrust is designed to increase the comfort of management, customers and business partners with the systems that support a business or a particular activity. The SysTrust service entails the public accountant providing an assurance service in which he or she evaluates and tests whether a system is reliable when measured against four essential principles: availability, security, integrity and maintainability. ) A focus on the business requirements for controls in IT and the application of emerging control models and IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK elated international standards evolved the original Information Systems Audit and Control Foundation’s Control Objectives from an auditor’s tool to COBIT, a management tool. Further, the development of IT Management Guidelines has taken COBIT to the next level-providing management with Key Goal Indicators (KGIs), Key Performance Indicators (KPIs), Critical Success Factors (CSFs) and Maturity Models so that it can assess its IT environment and make choices for control implementation and control improvements over the organisation’s information and related technology. Hence, the main objective of the COBIT project is the development of clear policies and good practices for security and control in IT for worldwide endorsement by commercial, governmental and professional organisations.

It is the goal of the project to develop these control objectives primarily from the business objectives and needs perspective. (This is compliant with the COSO perspective, which is first and foremost a management framework for internal controls. ) Subsequently, control objectives have been developed from the audit objectives (certification of financial information, certification of internal control measures, efficiency and effectiveness, etc. ) perspective. AUDIENCE: MANAGEMENT, USERS AND AUDITORS COBIT is designed to be used by three distinct audiences. MANAGEMENT: to help them balance risk and control investment in an often unpredictable IT environment. USERS: to obtain assurance on the security and controls of IT services provided by internal or third parties.

AUDITORS: to substantiate their opinions and/or provide advice to management on internal controls. 11 THE COBIT FRAMEWORK, continued BUSINESS OBJECTIVES ORIENTATION COBIT is aimed at addressing business objectives. The control objectives make a clear and distinct link to business objectives in order to support significant use outside the audit community. Control objectives are defined in a process-oriented manner following the principle of business re-engineering. At identified domains and processes, a high-level control objective is identified and rationale provided to document the link to the business objectives. In addition, considerations and guidelines are provided to define and implement the IT control objective.

The classification of domains where high-level control objectives apply (domains and processes), an indication of the business requirements for information in that domain, as well as the IT resources primarily impacted by the control objectives, together form the COBIT Framework. The Framework is based on the research activities that have identified 34 high-level control objectives and 318 detailed control objectives. The Framework was exposed to the IT industry and the audit profession to allow an opportunity for review, challenge and comment. The insights gained have been appropriately incorporated. GENERAL DEFINITIONS For the purpose of this project, the following definitions are provided. Control” is adapted from the COSO Report (Internal Control—Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, 1992) and “IT Control Objective” is adapted from the SAC Report (Systems Auditability and Control Report, The Institute of Internal Auditors Research Foundation, 1991 and 1994). Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. IT Governance is defined as structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. 12 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK THE FRAMEWORK’S PRINCIPLES There are two distinct classes of control models currently available: those of the “business control model” class (e. g. , COSO) and the “more focused control models for IT” (e. g. , DTI). COBIT aims to bridge the gap that exists between the two. COBIT is therefore positioned to be more comprehensive for management and to operate at a higher level than technology standards for information systems management. Thus, COBIT is the model for IT governance!

The underpinning concept of the COBIT Framework is that control in IT is approached by looking at information that is needed to support the business objectives or requirements, and by looking at information as being the result of the combined application of IT-related resources that need to be managed by IT processes. BUSINESS REQUIREMENTS Quality has been retained primarily for its negative aspect (no faults, reliability, etc. ), which is also captured to a large extent by the Integrity criterion. The positive but less tangible aspects of Quality (style, attractiveness, “look and feel,” performing beyond expectations, etc. ) were, for a time, not being considered from an IT control objectives point of view.

The premise is that the first priority should go to properly managing the risks as opposed to the opportunities. The usability aspect of Quality is covered by the Effectiveness criterion. The Delivery aspect of Quality was considered to overlap with the Availability aspect of the Security requirements and also to some extent Effectiveness and Efficiency. Finally, Cost is also considered covered by Efficiency. For the Fiduciary Requirements, COBIT did not attempt to reinvent the wheel—COSO’s definitions for Effectiveness and Efficiency of operations, Reliability of Information and Compliance with laws and regulations were used. However, Reliability of Information was expanded to include all information—not just financial information.

With respect to the Security Requirements, COBIT identified Confidentiality, Integrity, and Availability as the key elements—these same three elements, it was found, are used worldwide in describing IT security requirements. IT PROCESSES IT RESOURCES To satisfy business objectives, information needs to conform to certain criteria, which COBIT refers to as business requirements for information. In establishing the list of requirements, COBIT combines the principles embedded in existing and known reference models: Quality Requirements Fiduciary Requirements (COSO Report) Security Requirements Quality Cost Delivery Effectiveness and Efficiency of operations Reliability of Information Compliance with laws and regulations Confidentiality Integrity Availability IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 13 THE FRAMEWORK’S PRINCIPLES, continued

Starting the analysis from the broader Quality, Fiduciary and Security requirements, seven distinct, certainly overlapping, categories were extracted. COBIT’s working definitions are as follows: Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. concerns the provision of information through the optimal (most productive and economical) use of resources. concerns the protection of sensitive information from unauthorised disclosure. relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. relates to information being available when required by the business process now and in the future.

It also concerns the safeguarding of necessary resources and associated capabilities. deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i. e. , externally imposed business criteria. relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities. The IT resources identified in COBIT can be explained/defined as follows: Data are objects in their widest sense (i. e. , external and internal), structured and non-structured, graphics, sound, etc. are understood to be the sum of manual and programmed procedures.

Application Systems Efficiency Technology covers hardware, operating systems, database management systems, networking, multimedia, etc. are all the resources to house and support information systems. Confidentiality Facilities Integrity People include staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services. Availability Compliance Reliability of Information 14 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK Money or capital was not retained as an IT resource for classification of control objectives because it can be considered as being the investment into any of the above resources.

It should also be noted that the Framework does not specifically refer to documentation of all material matters relating to a particular IT process. As a matter of good practice, documentation is considered essential for good control, and therefore lack of documentation would be cause for further review and analysis for compensating controls in any specific area under review. Another way of looking at the relationship of IT resources to the delivery of services is depicted below. Data EVENTS Business Objectives Business Opportunities External Requirements Regulations Risks Application Systems INFORMATION Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability TECHNOLOGY message input FACILITIES PEOPLE service output

In order to ensure that the business requirements for information are met, adequate control measures need to be defined, implemented and monitored over these resources. How then can organisations satisfy them- selves that the information they get exhibits the characteristics they need? This is where a sound framework of IT control objectives is required. The next diagram illustrates this concept. What you get BUSINESS PROCESSES What you need INFORMATION Information Criteria • effectiveness • efficiency • confidentiality • integrity • availability • compliance • reliability IT RESOURCES • people • application systems • technology • facilities • data Do they match 15 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK THE FRAMEWORK’S PRINCIPLES, continued

The COBIT Framework consists of high-level control objectives and an overall structure for their classification. The underlying theory for the classification is that there are, in essence, three levels of IT efforts when considering the management of IT resources. Starting at the bottom, there are the activities and tasks needed to achieve a measurable result. Activities have a life-cycle concept while tasks are more discrete. The life-cycle concept has typical control requirements different from discrete activities. Processes are then defined one layer up as a series of joined activities or tasks with natural (control) breaks. At the highest level, processes are naturally grouped together into domains.

Their natural grouping is often confirmed as responsibility domains in an organisational structure and is in line with the management cycle or life cycle applicable to IT processes. With the preceding as the framework, the domains are identified using wording that management would use in the day-to-day activities of the organisation—not auditor jargon. Thus, four broad domains are identified: planning and organisation, acquisition and implementation, delivery and support, and monitoring. Definitions for the four domains identified for the highlevel classification are: Planning and Organisation This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives.

Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place. To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems. This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training.

In order to deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls. Domains Processes Acquisition and Implementation Activities/ Tasks Thus, the conceptual framework can be approached from three vantage points: (1) information criteria, (2) IT resources and (3) IT processes. These three vantage points are depicted in the COBIT Cube. Information Criteria Qu ali ty Fid uci ary Se cur ity Delivery and Support Domains People Application Systems Technology IT Processes Processes Facilities Data 16 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK IT Re so ur ce

Activities s FRAMEWORK Monitoring All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources. Similarly, all control measures will not necessarily impact the different IT resources to the same degree. Therefore, the COBIT Framework specifically indicates the applicability of the IT resources that are specifically managed by the process under consideration (not those that merely take part in the process).

This classification is made within the COBIT Framework based on a rigorous process of input from researchers, experts and reviewers, using the strict definitions previously indicated. In summary, in order to provide the information that the organisation needs to achieve its objectives, IT governance must be exercised by the organisation to ensure that IT resources are managed by a set of naturally grouped IT processes. The following diagram illustrates this concept. It should be noted that these IT processes can be applied at different levels within an organisation. For example, some of these processes will be applied at the enterprise level, others at the IT function level, others at the business process owner level, etc.

It should also be noted that the Effectiveness criterion of processes that plan or deliver solutions for business requirements will sometimes cover the criteria for Availability, Integrity and Confidentiality—in practice, they have become business requirements. For example, the process of “identify solutions” has to be effective in providing the Availability, Integrity and Confidentiality requirements. It is clear that all control measures will not necessarily satisfy the different business requirements for information to the same degree. • Primary is the degree to which the defined control objective directly impacts the information criterion concerned. Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned. • Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process. COBIT IT PROCESSES DEFINED WITHIN THE FOUR DOMAINS BUSINESS OBJECTIVES IT GOVERNANCE M1 M2 M3 M4 monitor the processes assess internal control adequacy obtain independent assurance provide for independent audit INFORMATION effectiveness efficiency confidentiality integrity availability compliance reliability PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 efine a strategic IT plan define the information architecture determine the technological direction define the IT organisation and relationships manage the IT investment communicate management aims and direction manage human resources ensure compliance with external requirements assess risks manage projects manage quality MONITORING PLANNING & ORGANISATION IT RESOURCES people application systems technology facilities data DELIVERY & SUPPORT DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 define and manage service levels manage third-party services manage performance and capacity ensure continuous service ensure systems security identify and allocate costs educate and train users assist and advise customers manage the configuration manage problems and incidents manage data manage facilities manage operations ACQUISITION & IMPLEMENTATION AI1 AI2 AI3 AI4 AI5 AI6 dentify automated solutions acquire and maintain application software acquire and maintain technology infrastructure develop and maintain procedures install and accredit systems manage changes IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 17 COBIT HISTORY AND BACKGROUND COBIT 3 Edition is the most recent version of Control Objectives for Information and related Technology, first released by the Information Systems Audit and Control Foundation (ISACF) in 1996. The 2nd edition, reflecting an increase in the number of source documents, a revision in the high-level and detailed control objectives and the addition of the Implementation Tool Set, was published in 1998.

The 3rd edition marks the entry of a new primary publisher for COBIT: the IT Governance Institute. rd While not excluding any other accepted standard in the information systems control field that may have come to light during the research, sources identified are: Technical standards from ISO, EDIFACT, etc. Codes of Conduct issued by the Council of Europe, OECD, ISACA, etc. Qualification criteria for IT systems and processes: ITSEC, TCSEC, ISO 9000, SPICE, TickIT, Common Criteria, etc. Professional standards for internal control and auditing: COSO, IFAC, AICPA, CICA, ISACA, IIA, PCIE, GAO, etc. Industry practices and requirements from industry forums (ESF, I4) and government-sponsored platforms (IBAG, NIST, DTI), etc. and Emerging industry-specific requirements from banking, electronic commerce, and IT manufacturing. Refer to Appendix II, COBIT Project Description; Appendix III, COBIT Primary Reference Material; and Appendix IV, Glossary of Terms. The IT Governance Institute was formed by the Information System Audit and Control Association (ISACA) and its related Foundation in 1998 in order to advance the understanding and adoption of IT governance principles. Due to the addition of the Management Guidelines to COBIT 3rd Edition and its expanded and enhanced focus on IT governance, the IT Governance Institute took a leading role in the publication’s development.

COBIT was originally based on ISACF’s Control Objectives, and has been enhanced with existing and emerging international technical, professional, regulatory and industry-specific standards. The resulting control objectives have been developed for application to organisation-wide information systems. The term “generally applicable and accepted” is explicitly used in the same sense as Generally Accepted Accounting Principles (GAAP). COBIT is relatively small in size and attempts to be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organisation. 18 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK FRAMEWORK COBIT PRODUCT EVOLUTION COBIT will evolve over the years and be the foundation for further research.

Thus, a family of COBIT products will be created and, as this occurs, the IT tasks and activities that serve as the structure to organise control objectives will be further refined, and the balance between domains and processes reviewed in light of the industry’s changing landscape. Research and publication have been made possible by significant grants from PricewaterhouseCoopers and donations from ISACA chapters and members worldwide. The European Security Forum (ESF) kindly made research material available to the project. The Gartner Group also participated in the development and provided quality assurance review of the Management Guidelines. COBIT Family of Products EXECUTIVE SUMMARY IMPLEMENTATION TOOL SET – – – – – Executive Overview Case Studies FAQs Power Point Presentations Implementation Guide • Management Awareness Diagnostics • IT Control Diagnostics

FRAMEWORK with High-Level Control Objectives MANAGEMENT GUIDELINES DETAILED CONTROL OBJECTIVES AUDIT GUIDELINES Maturity Models Critical Success Factors Key Goal Key Goal Indicators Indicators Key Performance Key Performance Indicators Indicators IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 19 CONTROL OBJECTIVES SUMMARY TABLE The following chart provides an indication, by IT process and domain, of which information criteria are impacted by the high-level control objectives, as well as an indication of which IT resources are applicable. Information Criteria IT Resources DOMAIN Planning & Organisation PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 PROCESS

Define a strategic IT plan Define the information architecture Determine technological direction Define the IT organisation and relationships Manage the IT investment Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects Manage quality Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain procedures Install and accredit systems Manage changes Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations Monitor the processes Assess internal control adequacy Obtain independent assurance Provide for independent audit P P P P P P P P P P P P P P P P P P P P P Acquisition & Implementation AI1 AI2 AI3 AI4 AI5 AI6 Delivery & Support DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 P P P P P P P P P Monitoring M1 M2 M3 M4 (P) primary (S) secondary 20 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK f fe cti ef ven fic es co ie s nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity pe ap op pl le i tec cati hn on s fa olog cil y itie da s ta S S S S P P S P P S P P P P P P P S P P S P P P P S S S S S S S S S S S P S S S S S S P P P S S S S P S S P P P P P S S S S ? S S ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? S S ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? S ? P ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? S S S S P S S S S S P S S S P S S S S S S S S S S P ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? P P P P P () applicable to FRAMEWORK FRAMEWORK NAVIGATION OVERVIEW

The High-Level Control Objectives section presents control statements, business requirements, enablers and considerations for all of COBIT’s 34 IT processes. The domain indicator (“PO” for Planning & Organisation, “AI” for Acquisition & Implementation, “DS” for Delivery & Support and “M” for Monitoring) is shown at top left. The applicable information criteria and IT resources managed are shown via mini-matrix, as described on the following page. The COBIT Framework has been limited to high-level control objectives in the form of a business need within a particular IT process, the achievement of which is enabled by a control statement, for which consideration should be given to potentially applicable controls.

The Control Objectives have been organised by process/activity, but navigation aids have been provided not only to facilitate entry from any one vantage point, but also to facilitate combined or global approaches, such as installation/implementation of a process, global management responsibilities for a process and the use of IT resources by a process. It should also be noted that the Control Objectives have been defined in a generic way; i. e. , not depending on the technical platform, while accepting the fact that some special technology environments may need separate coverage for Control Objectives. The control of IT Processes which satisfy Business Requirements is enabled by Control Statements considering

Control Practices IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 21 FRAMEWORK NAVIGATION OVERVIEW, continued To facilitate efficient use of the Control Objectives in support of the different vantage points, some navigation aids are provided as part of the presentation of the high-level Control Objectives. For each of the three dimensions along which the COBIT Framework can be approached—processes, IT resources and information criteria—a navigation aid is provided. ef fe cti ef ven f e co icie ss nf nc id y en in tia te li av grit ty ai y co lab m ility p re lian lia ce bi lity S Information Criteria IT Domains IT Resources P Planning & Organisation

Acquisition & Implementation Delivery & Support Monitoring Three Vantage Points pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta Navigation Aids Planning & Organisation IT domains are identified by this icon in the UPPER RIGHT CORNER of each page in the Control Objectives section, with the domain under review highlighted and enlarged. Acquisition & Implementation Delivery & Support Monitoring The cue to information criteria will be provided in the UPPER LEFT CORNER in the Control Objectives section by means of this minimatrix, which will identify which criteria are applicable to each highlevel control objective and to which degree (primary or secondary).

A second mini-matrix in the LOWER RIGHT CORNER in the Control Objectives section identifies the IT resources that are specifically managed by the process under consideration—not those that merely take part in the process. For example, the “manage data” process concentrates particularly on Integrity and Reliability of the data resource. 22 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK pe o ap ple pl ica tec tio hn ns ol fa ogy cil itie s da ta ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity S P FRAMEWORK HIGH-LEVEL CONTROL OBJECTIVES IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 23 PO1 Planning & Organisation Define a Strategic Information Technology Plan HIGH-LEVEL CONTROL OBJECTIVE f fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P S Control over the IT process of defining a strategic IT plan that satisfies the business requirement to strike an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans; the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals and takes into consideration • • • • • • • • nterprise business strategy definition of how IT supports the business objectives inventory of technological solutions and current infrastructure monitoring the technology markets timely feasibility studies and reality checks existing systems assessments enterprise position on risk, time-to-market, quality need for senior management buy-in, support and critical review pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta 24 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK PO2 Planning & Organisation Define the Information Architecture HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P S S S

Control over the IT process of defining the information architecture that satisfies the business requirement of optimising the organisation of the information systems is enabled by creating and maintaining a business information model and ensuring appropriate systems are defined to optimise the use of this information and takes into consideration • • • • • automated data repository and dictionary data syntax rules data ownership and criticality/security classification an information model representing the business enterprise information architectural standards pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 25 PO3 Planning & Organisation Determine Technological Direction HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P S Control over the IT process of determining technological direction that satisfies the business requirement to take advantage of available and emerging technology to drive and make possible the business strategy is enabled by reation and maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms and takes into consideration • • • • • • • • • capability of current infrastructure monitoring technology developments via reliable sources conducting proof-of-concepts risk, constraints and opportunities acquisition plans migration strategy and roadmaps vendor relationships independent technology reassessment hardware and software price/performance changes 26 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta PO4 Planning & Organisation Define the Information Technology Organisation and Relationships HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P S

Control over the IT process of defining the IT organisation and relationships that satisfies the business requirement to deliver the right IT services is enabled by an organisation suitable in numbers and skills with roles and responsibilities defined and communicated, aligned with the business and that facilitates the strategy and provides for effective direction and adequate control and takes into consideration • • • • • • • • • • board level responsibility for IT management’s direction and supervision of IT IT’s alignment with the business IT’s involvement in key decision processes organisational flexibility clear roles and responsibilities balance between supervision and empowerment job descriptions staffing levels and key personnel organisational positioning of security, quality and internal control functions • segregation of duties e o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 27 PO5 Planning & Organisation Manage the Information Technology Investment HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P P S Control over the IT process of managing the IT investment that satisfies the business requirement to ensure funding and to control disbursement of financial resources is enabled by a periodic investment and operational budget established and approved by the business and takes into consideration • • • • • • • • funding alternatives clear budget ownership control of actual spending cost justification and awareness of total cost of ownership benefit justification and accountability for benefit fulfillment technology and application software life cycles alignment with enterprise business strategy impact assessment asset management pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta 28 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK PO6 Planning & Organisation Communicate Management Aims and Direction HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P S

Control over the IT process of communicating management aims and direction that satisfies the business requirement to ensure user awareness and understanding of those aims is enabled by policies established and communicated to the user community; furthermore, standards need to be established to translate the strategic options into practical and usable user rules and takes into consideration • • • • • • • • • clearly articulated mission technology directives linked to business aims code of conduct/ethics quality commitment security and internal control policies security and internal control practices lead-by-example continuous communications programme providing guidance and checking compliance pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK 29 PO7 Planning & Organisation Manage Human Resources HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning & Organisation Acquisition & Implementation Delivery & Support Monitoring P P

Control over the IT process of managing human resources that satisfies the business requirement to acquire and maintain a motivated and competent workforce and maximise personnel contributions to the IT processes is enabled by sound, fair and transparent personnel management practices to recruit, line, vet, compensate, train, appraise, promote and dismiss and takes into consideration • • • • • • • • • recruitment and promotion training and qualification requirements awareness building cross-training and job rotation hiring, vetting and dismissal procedures objective and measurable performance evaluation responsiveness to technical and market changes properly balancing internal and external resources succession plan for key positions 30 IT GOVERNANCE INSTITUTE — COBIT FRAMEWORK pe o ap ple pl ic tec atio hn ns ol fa ogy cil itie s da ta PO8 Planning & Organisation Ensure Compliance with External Requirements HIGH-LEVEL CONTROL OBJECTIVE ef fe cti ef ven f e co icie ss nf nc id y e in ntia teg li av rit ty ai y co lab m ility p re lian lia ce bi lity Planning