Cyber Security

CIR Standard Appendix 12: COBIT Framework

Written by Moh Heng Goh | Nov 28, 2022 12:41:59 PM

CIR Related Standards

COBIT Framework

22.1 Introduction

Control Objectives for Information Related Technology (COBIT) is an international framework that helps IT personnel understand the relationship between the IT infrastructures and business needs within an organisation (Finjan Team, 2016). Practices for IT operations to become more efficient and effective are recommended to meet business needs. This can be achieved through documentation and the development of tools, processes and organisational structure.

22.2 Concept

Through adopting the COBIT Framework, the objective is to ensure IT is governed and managed holistically, taking into consideration full end-to-end business and IT functional areas of responsibilities while considering the IT-related interests of internal and external stakeholders (Bobsguide, 2012). There should be a clear distinction between governance and management.

Governance carried out by the board of directors ensures that enterprise objectives are met through evaluating stakeholder needs, conditions and options. They set the overall direction via prioritisation and decision-making. Processes are monitored for their progress and compliance against predetermined directions and objectives.

Members under Management plan to build, run and monitor the activities by the direction the board of directors provides so that the organisation can achieve their objectives.

22.3 Scope

Through the adoption of the COBIT Framework, the end goals for organisations are to:

  • Adhere to stakeholder needs and requirements;
  • Cover all aspects of the organisation;
  • Apply a single integrated framework;
  • Govern and manage holistically; and
  • Distinguish governance and management.

22.4 Areas to Achieve Goal

To achieve these goals, the organisation has to look into these areas:

22.4.1 Processes

IT-related goals and objectives are set beforehand by the board of directors. Therefore, activities performed by the employees have to be organised to produce specific outputs to achieve them.

22.4.2 Organisational Structure

By developing an organisational structure, different aspects of the organisation are identified and categorised, carrying different roles and responsibilities. Certain entities have higher authority, and thus information needs to be channelled to them for decision-making.

22.4.3 Culture, Ethnic and Behaviour

Every employee in an organisation is unique; their way of life needs to be considered when factoring in that all employees have a part to play in effectively managing cyber security incidents. Understanding one another’s differences can contribute to success in governance and management activities.

22.4.4 Principles, Policies and Frameworks

Guidance is provided to the employees to perform daily activities through the development of these areas. The board of directors wants the organisation to progress in the right direction regarding the effective handling of IT infrastructures within the organisation; these ideals are represented in the principles, policies and frameworks so the employees can put it into action.

22.4.5 Information

Exchanging information within an organisation is very important, regardless of whether it is to the Management or other employees. Information is necessary for the organisation to process if the activities performed are on the right track. The output of information from performing activities needs to be spread across the organisation to ensure everybody is aware and on the same page.

22.4.6 Services, Infrastructures and Applications

Any of the IT infrastructures within an organisation must be considered when implementing cyber security controls, especially those directly responsible for performing important business functions. All IT infrastructures within the organisation create a platform for cybercriminals to gain unauthorised access to the main system. Hence, all IT infrastructures have to be accounted for.

22.4.7 People, Skills and Competencies

Certain activities require knowledge of an area or are more demanding. The organisation has to ensure that these activities are assigned to capable hands. Only through the successful execution of the activities that allow effective governance and management of IT infrastructures.

 

 

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 22 Appendix 12: COBIT Framework

Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.