You know you are at a conference of IT auditors and securitychiefs when attendees are frequently urged in “housekeeping”announcements not to leave laptops unattended.
These are people who are paid not to miss a thing, and theconference organizers help keep it that way.
Increasingly, to keep themselves and their companies out oftrouble, the members of the Rolling Meadows, Ill.-based InformationSystems Audit and Control Association (ISACA), the conferencesponsor, are turning to an IT governance tool, the ControlObjectives for Information and Related Technology, or Cobit.
Although Cobit has been around since the early 1990s, theSarbanes-Oxley Act is pushing new interest in the tool, said userswho have implemented it. Cobit is also getting updated: A newversion of a Sarb-Ox-specific tool that uses Cobit, the IT ControlObjectives for Sarbanes-Oxley, is being finalized by the ITGovernance Institute (ITGI), which is also in Rolling Meadows.Public comment is now being accepted on the updated tool, whichincludes recent U.S. Security and Exchange Commission guidance.
“[Sarb-Ox] is an amorphous document — it says ‘have controls,’but it doesn’t tell you what controls or how to have them,” saidScott Thomas, an IT security manager at a large food servicescompany he asked not to be named. Cobit has given his company “anice solid process” to follow, as well as something to showauditors to demonstrate what security controls are in place.Without Cobit, communication between the business and IT is “applesto oranges,” he said.
A major update of Cobit, Version 4, was released in December bythe ITGI. Cobit and the Sarb-Ox framework are both available asfree downloads from the www.isaca.org Web site.
Cobit creates a common framework for business and IT managementand in a “nontechnical way” explains about building controls arounda business process, said Steven Suther, director of informationsecurity management for American Express Technologies, the IT armof American Express Co. Cobit allows “my business folks to actuallyunderstand IT processes for the first time ever,” he said.
The management focus of Cobit differs from the InformationTechnology Infrastructure Library (ITIL) that is gaining datacenter adoption. But both are complementary, and the latest versionof Cobit has improved integration with ITIL, said Robert Stroud, anIT service management evangelist at CA Inc., and contributor toCobit.
ITIL is focused on IT processes, such as how a help desk handlesa trouble ticket. Cobit integrates some of ITIL but takes theissues to a higher level in a company by focusing on meetingbusiness needs, said Stroud. It provides a means to map IT tobusiness requirements, such as ensuring that costs are measured andservice levels and performance goals are met, he said.
IT users who want to discuss, for instance, how much storage isavailable aren’t necessarily giving a business the information itreally needs, said Stroud. “The business just cares about theultimate service,” he said.
The city of Phoenix is in the planning stages of a Cobitimplementation, according to Lance Turcato, the deputy cityauditor. Turcato has in the past been involved in a Cobitimplementation in the private sector, and said it can foster abetter partnership with IT, the business side and auditors. That’sbecause Cobit “pulls together the best practices” in the industryand provides a baseline for IT, said Turcato.
For instance, in IT security it assembles the leading riskindicators and what specific controls are needed to address them.In that respect, Cobit is a “think-tank brain dump for what leadersin the industry are doing for IT security,” he said.