COBIT IT Assessment Tool/Audit - Best Practice Help

1 COBIT IT Assessment / audit tool Introduction The goal of information technology certification programs is to provide alignment for IT infrastructure with the business goals of the corporation. Optimal configurations : for performance and return-on-investment Scalability and flexibility : to meet rapidly growing or changing business conditions Performance engineering : for mission-critical systems Predictable cost control : for projects, operations and planning Risk analysis : for information technology and capital investment This Assessment / audit tool contains, within 4 areas of IT control, a total of 34.

2 High-level control objectives: Planning and Organization - IT Controls Acquisition and Implementation - IT Controls Delivery and Support - IT Controls Monitoring - IT Controls This Assessment / audit tool 's detailed-control statements are graded on a scale of 0-5: 0 Non-existent - no recognizable process 1 Initial - no standardized process 2 Repeatable - standardized process in place 3 Defined - policy/procedures are standardized and documented 4 Managed - compliance monitors are in place and utilized 5 Optimized -processes are refined _____. Overview Three levels of IT management.

3 Domains, processes, activities +. tasks Utilize IT resources .. people, application systems, technology, facilities, data To produce information measured by criteria .. quality .. fiduciary .. security Domains are management groupings within an organization's structure ( division). Page 1 of 1. Processes are joined activities/tasks with natural control breaks ( department). Activities are joined tasks with a defined life-cycle designed to produce a measurable result(s). Tasks are discrete actions required to achieve measurable business goals note: activities and tasks require a different type of control than domains and processes This Assessment tool is based on the COBIT Framework for certification of performance in the management, security and control of information technology - as developed by the IT Governance Institute (.)

4 And ). COBIT is an acronym which stands for "Control Objectives for Information and related Technology". Planning and Organization .. IT Controls High-Level Control Statements PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Define the Technological Direction PO4 Define the IT Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality _____. Detailed Control Objectives Page 2 of 2.

5 Define a Strategic IT Plan IT as Part of the Organization's Long- and Short-Range Plan IT Long-Range Plan IT Long-Range Planning - Approach and Structure IT Long-Range Plan Changes Short-Range Planning for the IT Function Communication of IT Plans Monitoring and Evaluation of IT Plans Assessment of Existing Systems Define the Information Architecture Information Architecture Model Corporate Data Dictionary and Data Syntax Rules Data Classification Scheme Security Levels Determine Technological Direction Technological Infrastructure Planning Monitoring Future Trends and Regulations Technological Infrastructure Contingency Hardware and Software Acquisition Plans Technology Standards Define the IT Organization and Relationships IT Planning or Steering Committee Organizational Placement of the IT Function Review of Organizational Achievements Roles and Responsibilities Responsibility for Quality Assurance Responsibility for Logical and Physical Security Ownership and Custodianship Data and System Ownership Supervision Segregation of Duties IT Staffing Job or Position Descriptions for IT

6 Staff Key IT Personnel Contracted Staff Policies and Procedures Relationships Page 3 of 3. Manage the IT Investment Annual IT Operating Budget Cost and Benefit Monitoring Cost and Benefit Justification Communicate Management Aims and Direction Positive Information Control Environment Management's Responsibility for Policies Communication of Organizational Policies Policy Implementation Resources Maintenance of Policies Compliance with Policies, Procedures and Standards Quality Commitment Security and Internal Control Framework Policy Intellectual Property Rights Issue-Specific Policies Communication of IT Security Awareness Manage Human Resources Personnel Recruitment and Promotion Personnel Qualifications Roles and Responsibilities Personnel Training Cross-Training or Staff Back-up Personnel Clearance Procedures Employee Job Performance Evaluation Job Change and Termination Ensure Compliance with External Requirements External Requirements Review Practices and Procedures for Complying

7 With External Requirements Safety and Ergonomic Compliance Privacy, Intellectual Property and Data Flow Electronic Commerce Compliance with Insurance Contracts Assess Risks Business Risk Assessment Risk Assessment Approach Page 4 of 4. Risk Identification Risk Measurement Risk Action Plan Risk Acceptance Safeguard Selection Risk Assessment Commitment Manage Projects Project Management Framework User Department Participation in Project Initiation Project Team Membership and Responsibilities Project Definition Project Approval Project Phase Approval Project Master Plan System Quality Assurance Plan Planning of Assurance Methods Formal Project Risk Management Test Plan Training Plan Post-Implementation Review Plan Manage Quality General Quality Plan Quality Assurance Approach Quality

8 Assurance Planning Quality Assurance Review of Adherence to IT Standards and Procedures System Development Life Cycle Methodology System Development Life Cycle Methodology for Major Changes to Existing Technology Updating of the System Development Life Cycle Methodology Coordination and Communication Acquisition and Maintenance Framework for the Technology Infrastructure Third-Party Implementor Relationships Program Documentation Standards Program Testing Standards System Testing Standards Parallel/Pilot Testing System Testing Documentation Quality Assurance Evaluation of Adherence to Development Standards Quality Assurance Review of the Achievement of IT Objectives Quality Metrics Page 5 of 5.

9 Reports of Quality Assurance Reviews Acquisition and Implementation - IT Controls High-Level Control Statements A11 Identify Automated Solutions A12 Acquire and Maintain Application Software A13 Acquire and Maintain Technology Infrastructure A14 Develop and Maintain Procedures A15 Install and Accredit Systems A16 Manage Changes _____. Detailed Control Objectives Identify Automated Solutions Definition of Information Requirements Formulation of Alternative Courses of Action Formulation of Acquisition Strategy Third-Party Service Requirements Technological Feasibility Study Economic Feasibility Study Information Architecture Risk Analysis Report Cost-Effective Security Controls audit Trails Design Ergonomics Selection of System Software Procurement Control Software Product Acquisition Third-Party Software Maintenance Contract Application Programming Acceptance of Facilities

10 Acceptance of Technology Acquire and Maintain Application Software Page 6 of 6. Design Methods Major Changes to Existing Systems Design Approval File Requirements Definition and Documentation Program Specifications Source Data Collection Design Input Requirements Definition and Documentation Definition of Interfaces User-Machine Interface Processing Requirements Definition and Documentation Output Requirements Definition and Documentation Controllability Availability as a Key Design Factor IT Integrity Provisions in Application Program Software Application Software Testing User Reference and Support Materials Reassessment of