Increasingly, to keep themselves and their companies out of trouble, the members of the Rolling Meadows, Ill.-based Information Systems Audit and Control Association (ISACA), the conference sponsor, are turning to an IT governance tool, the Control Objectives for Information and Related Technology, or Cobit.
Although Cobit has been around since the early 1990s, the Sarbanes-Oxley Act is pushing new interest in the tool, said users who have implemented it. Cobit is also getting updated: A new version of a Sarb-Ox-specific tool that uses Cobit, the IT Control Objectives for Sarbanes-Oxley, is being finalized by the IT Governance Institute (ITGI), which is also in Rolling Meadows. Public comment is now being accepted on the updated tool, which includes recent U.S. Security and Exchange Commission guidance.
"[Sarb-Ox\] is an amorphous document -- it says 'have controls,' but it doesn't tell you what controls or how to have them," said Scott Thomas, an IT security manager at a large food services company he asked not to be named. Cobit has given his company "a nice solid process" to follow, as well as something to show auditors to demonstrate what security controls are in place. Without Cobit, communication between the business and IT is "apples to oranges," he said.
A major update of Cobit, Version 4, was released in December by the ITGI. Cobit and the Sarb-Ox framework are both available as free downloads from the www.isaca.org Web site.
Cobit creates a common framework for business and IT management and in a "nontechnical way" explains about building controls around a business process, said Steven Suther, director of information security management for American Express Technologies, the IT arm of American Express Co. Cobit allows "my business folks to actually understand IT processes for the first time ever," he said.
The management focus of Cobit differs from the Information Technology Infrastructure Library (ITIL) that is gaining data center adoption. But both are complementary, and the latest version of Cobit has improved integration with ITIL, said Robert Stroud, an IT service management evangelist at CA Inc., and contributor to Cobit.
ITIL is focused on IT processes, such as how a help desk handles a trouble ticket. Cobit integrates some of ITIL but takes the issues to a higher level in a company by focusing on meeting business needs, said Stroud. It provides a means to map IT to business requirements, such as ensuring that costs are measured and service levels and performance goals are met, he said.
IT users who want to discuss, for instance, how much storage is available aren't necessarily giving a business the information it really needs, said Stroud. "The business just cares about the ultimate service," he said.
The city of Phoenix is in the planning stages of a Cobit implementation, according to Lance Turcato, the deputy city auditor. Turcato has in the past been involved in a Cobit implementation in the private sector, and said it can foster a better partnership with IT, the business side and auditors. That's because Cobit "pulls together the best practices" in the industry and provides a baseline for IT, said Turcato.
For instance, in IT security it assembles the leading risk indicators and what specific controls are needed to address them. In that respect, Cobit is a "think-tank brain dump for what leaders in the industry are doing for IT security," he said.