You know you are at a conference of IT auditors and security
chiefs when attendees are frequently urged in "housekeeping"
announcements not to leave laptops unattended.
These are people who are paid not to miss a thing, and the
conference organizers help keep it that way.
Increasingly, to keep themselves and their companies out of
trouble, the members of the Rolling Meadows, Ill.-based Information
Systems Audit and Control Association (ISACA), the conference
sponsor, are turning to an IT governance tool, the Control
Objectives for Information and Related Technology, or Cobit.
Although Cobit has been around since the early 1990s, the
Sarbanes-Oxley Act is pushing new interest in the tool, said users
who have implemented it. Cobit is also getting updated: A new
version of a Sarb-Ox-specific tool that uses Cobit, the IT Control
Objectives for Sarbanes-Oxley, is being finalized by the IT
Governance Institute (ITGI), which is also in Rolling Meadows.
Public comment is now being accepted on the updated tool, which
includes recent U.S. Security and Exchange Commission guidance.
"[Sarb-Ox] is an amorphous document -- it says 'have controls,'
but it doesn't tell you what controls or how to have them," said
Scott Thomas, an IT security manager at a large food services
company he asked not to be named. Cobit has given his company "a
nice solid process" to follow, as well as something to show
auditors to demonstrate what security controls are in place.
Without Cobit, communication between the business and IT is "apples
to oranges," he said.
A major update of Cobit, Version 4, was released in December by
the ITGI. Cobit and the Sarb-Ox framework are both available as
free downloads from the www.isaca.org Web site.
Cobit creates a common framework for business and IT management
and in a "nontechnical way" explains about building controls around
a business process, said Steven Suther, director of information
security management for American Express Technologies, the IT arm
of American Express Co. Cobit allows "my business folks to actually
understand IT processes for the first time ever," he said.
The management focus of Cobit differs from the Information
Technology Infrastructure Library (ITIL) that is gaining data
center adoption. But both are complementary, and the latest version
of Cobit has improved integration with ITIL, said Robert Stroud, an
IT service management evangelist at CA Inc., and contributor to
Cobit.
ITIL is focused on IT processes, such as how a help desk handles
a trouble ticket. Cobit integrates some of ITIL but takes the
issues to a higher level in a company by focusing on meeting
business needs, said Stroud. It provides a means to map IT to
business requirements, such as ensuring that costs are measured and
service levels and performance goals are met, he said.
IT users who want to discuss, for instance, how much storage is
available aren't necessarily giving a business the information it
really needs, said Stroud. "The business just cares about the
ultimate service," he said.
The city of Phoenix is in the planning stages of a Cobit
implementation, according to Lance Turcato, the deputy city
auditor. Turcato has in the past been involved in a Cobit
implementation in the private sector, and said it can foster a
better partnership with IT, the business side and auditors. That's
because Cobit "pulls together the best practices" in the industry
and provides a baseline for IT, said Turcato.
For instance, in IT security it assembles the leading risk
indicators and what specific controls are needed to address them.
In that respect, Cobit is a "think-tank brain dump for what leaders
in the industry are doing for IT security," he said.
icon.
