Is CobiT® a framework or a standard?

CobiT® is the vision of control over information that is "us", certified information systems audit. We, the CISA are the measure. We execute a practice that mandates we perform to a standard. We reach that level of performance by adhering to a philosophy that is enabled by a framework. The standard is only maintained to the extent it is implemented through practice and methodology.

Formula is not framework or standard. Formula cannot make us “good” or “funny”. Formula is a cheap imitation of framework. We see it in marketing, legal smudge, manufacturing, bad teaching and especially in the claims made by those too lazy or ignorant to do the research in the first place.

Legal smudge and formula use characteristic statements like
"Statistics say" or "the current wisdom is", but they don't recognize the real source of information. Formula is driven by agenda, whereas framework is driven by excellence.

CobiT® is a framework that allows Information Systems Audit and Control teams achieve a standard. We own the optimization of CobiT® and our actions represent ISACA as the "measure" of information control. When we are CISA, we are the measure.

Consider the part framework, standard, practice, method, concept, assessment, conformity and independent criterion reference all play in the road to a healthy control posture.

An analogy that may help is the path to physical fitness. Standards are used to measure fitness, as for example the US based Presidential Fitness Award. Fitness is not a “standard”. We have, however, standards that model fitness.

Frameworks for nutrition, exercise and life balancing activity help us achieve standard levels of health as can be demonstrated by measures according to agreed criteria and norms.

Framework, as in rest, nutrition and exercise, is a back bone. Without a back bone we are a useless bag of flesh. 

Exercise is a practice (like running). Note that without the framework, we cannot execute the reinforcing and optimizing practice. (Try to run without your backbone.)

Industries that support this framework reinforce activity aligned to fitness practice. We go to the gym. We eat organic food. These activities are not a framework, a practice or even a standard. They are tools. We recognize their value as helping us reach a standard.

Performance is a heart rate, as in beats per minute given a measured and typed event of exercise. Performance is benchmarked as normative data. We use measured rate as compared to subjects in a particular range such as height, weight and age. Performance requires a criterion based reference. This is where formula and framework stand apart. Recognized standards of measure evidence their years in developing methods for valid test construction. Statements of performance include the details of the content supporting their claim. A valid statement would have components like, “Given a trigger or condition, with identified set of characteristics, the subject is observed to perform at rate.”
In the review of the results, the test can be summarized using language that is interpreted as indication of competency. We cannot say what is “good” but can say that results indicate “good” as compared to similar subjects and as found using valid content across a sample size that is reasonable, given our industry and guidelines for measure.

Standard is the agreement of interpretation and rate of performance, as sanctified by a recognized body, like CASCO or American Heart and Lung Association, that a particular value or set of values can be taken as an indication of condition.

Frameworks, methodologies and guidelines imply conceptual alignment and best practice. 

Standards imply normalized expectations based in specific and mandated requirements.

Criterion referencing is the act of optimizing and defining rates and benchmarks.

A criterion reference is typically established by an elected body or organized committee. Where it is only proposed by an individual it is a "theory" and "concept". After a criterion reference has had sufficient review to assure its findings meet both content AND construct validity, it may be adopted as a criterion reference.

ANSI is a recognized standards body. When ANSI recognized ISACA... it was a very big deal. Earning permission to act as a standards body is not trivial and implies extremely specific functions to the identified organization.

Consider that ISO Certification cannot be provided by ISO... Why not? ISO can create and propose a standard for measure, including content and methods of construction that may be used to assess whether organizations are worthy of claiming adherence to a particular quality.

Where ISO created the framework and the standard of measure, the ethics of attesting to meeting this measure are only performed by an approved certification body. A certification body is able to create an assessment condition and certify that an organization has achieved that standard. ISO doesn’t perform ISO certifications because to do so is kind of like a scientific double dip.

Framework for practice is often interpreted in "how to" and methodology documents. Check lists and tool kits are tools. Tools may leverage a framework, but they are not the framework.

Standards state what we achieve.

What this means to us is that we represent an organization that measures when people meet the standard of Certified Information Systems Auditors. ISACA is a certification body. What they produce is us. We represent the group that must understand the frameworks and standards of technology and audit so we can collectively align to a measure of quality. ISACA produces us, and we are allowed to implement and measure.

Our mission, therefore, is to be content or product. We are the measure.

We are accountable to all technology standards, and we agree that when we can demonstrate knowledge across a matrix of information, we meet the criteria that are a CISA.

CobiT® is not a standard. It is the quintessential framework by which we recognize all triggers for all other standards as needed by information audit and control.

CobiT® identifies a risk framework. If in the process of identifying a risk, we uncover a need for specific OSHA or FIPS guidelines, we are accountable to the responsibility of applying those standards. CobiT® is not a Federal Information Processing Standard, (FIPS). A FIP# in isolation represents a single, dated instance of Federal Processing Standard. The invocation of its use would be an example of applying methods within the CobiT® framework.

CobiT® is a framework. ISACA measures and certifies people. We meet a standard so that we may be authorized to assist in the measure of how technologies meet other standards.

CobiT® is a framework, a backbone that allows us to
Exercise and eventually meet a physical and actionable knowledge standard.

Frameworks and methods are theories, that when combined with our own physical work or exercise, help us to achieve excellence.

Presidential Physical Fitness Award =
Framework (Nutrition and Exercise),
Processes (practice),
Criterion Reference (Measure of Health),
Assessment (Recognized Test of Fitness)
Benchmark (Interpretation of results according to normalized testing conditions and findings.)

ISACA is a standards body. CISA certification is a standard. CobiT® is a framework. The matrix in CobiT® recognizes a place and trigger for every known technology and enterprise technology management standard.

 

 

Sarbanes-Oxley, Sections 302 and 404: Internal Controls

PB&SP helps clients to recognize appropriate industry models for their organization's needs, and promotes a structure of process development that is consistent with the maturity measurements as defined by COBIT®. PB&SP provides rapid process development services, basing process selection on both standards and business reality. Since the enactment of Sarbanes-Oxley companies need to understand new risk and control requirements. IT Management, Financial, and Audit departments all want to know how they are required to respond. Companies are required to achieve transparency, accountability, and integrity while respecting the needs of a balanced business scorecard.

While no effort to implement a standard is wasted, and all frameworks provide basis for process, the answer to our current need for immediate and comprehensive evidence of internal controls across all systems and information technology is COBIT®. We don't stop there. We also use ITIL®, NIST, FIPS, ISO, PCI/VISA CISPV2.3, COSO, and virtually all known standards in our projects supporting both process and regulatory compliance.

Continue to:  Philosophy & Mission

Next TOC

Reference

A Guide to the Project Management Body of Knowledge (PMBOK® Guide)-2000 Edition, Project Management Institute, Project Management Institute, Inc., Newtown Square, PA, USA, 2000

Six Sigma Project Management: A Pocket Guide, by Jeffrey N., Phd Lowenthal,(American Society for Quality; Spiral edition,August 1, 2001)

The COBIT®.(Control Objectives for Information and Related Technology) framework was released in 1996 and updated in 1998 and 2000 by the Information Systems Audit and Control Foundation (ISACF) in response to the need for a reference framework for security and control in information technology. In 2000, the IT Governance Institute and ISACF developed the Management Guidelines for COBIT®. These guidelines respond to a need by Management for control and measurability of IT, for the purpose of ensuring that IT activities achieve business objectives.

LITTLE BOOK OF CONFIGURATION MANAGEMENT, (AIRLIE SOFTWARE COUNCIL, Arlington, VA
NOVEMBER 1998) http://www.spmn.com, Software Program Managers Network.
Copyright © 1998 by Computers & Concepts Associates, a division of Integrated Computer Engineering, Inc., in the performance of Federal Systems Integration and Management Center (FEDSIM)

The ITIL® website www.itil.co.uk is a useful repository of information about ITIL®. There you will find information about how ITIL® publications are developed, including latest news about books in development, and details of most of the books in the set. In addition, there is a Frequently Asked Questions page, and links to most of the important partners in the ITIL® family (ITSMF, TSO, BSI, ISEB, EXIN), separate secure sites for ITIL® book development teams and links to on-line ordering.

The Information Technology Security Office (ITSO) is the focal point for addressing NIST-wide information technology (IT) security issues. Functions of the ITSO include establishing, implementing, and testing information security policies, procedures, and technologies for NIST's administrative and scientific environments. The ITSO also investigates computer security breaches by a NIST user or through a NIST system. To report a security incident or to discuss an IT concern related to NIST, contact the IT Security Officer at nist-itso@nist.gov or 301-975-2901. The role of the ITSO should not be confused with that of the Information Technology Laboratory's Computer Security Division. Under the Computer Security Act of 1987, the Computer Security Division develops security standards and guidelines for sensitive (unclassified) Federal IT systems and works with industry to help improve the security of commercial IT products. The Division has key focused activities in the areas of cryptographic standards and applications, security of emerging technologies, security management, and security testing. The ITSO benefits from having access to subject matter experts, and the division benefits from having the environment to apply the research conducted and to contribute operational experience to its activities. For more information on the ITL Computer Security Division, see http://csrc.nist.gov.

United States Congress, Sarbanes-Oxley Act of 2002, 15 U.S.C. §7201 (2002), "Sarbanes-Oxley Act of 2002", "SOX", in Public Law 107-204, H.R. 3763, S. 2673, & Congressional Record Vol. 148 (2002), Washington: U.S. Government Printing Office, 116 STAT. 745-810.

COBIT®. Retrieved December 1, 2005 http://www.isaca.org/Template.cfm?Section=COBIT&
Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981.

COSO, Committee of Sponsoring Organizations of the Treadway Commission. Retrieved December 1, 2005 http://www.coso.org/.

ITIL®, Information Technology Infrastructure Library. Retrieved December 1, 2005 http://www.ogc.gov.uk/index.asp?id=2261.

BSI, British Standards Institute, "BS ISO/IEC 17799:2005", in British Standard ISO/IEC 27001:2005, London, United Kingdom: The Stationary Office, 2005.

ISACA, Information Systems Audit and Control Association. Retrieved December 1, 2005 http://www.isaca.org/.

OGC, Office of Government Commerce, "ICT Infrastructure Management", in ITIL® Series, London, United Kingdom: The Stationary Office, 2002.

NIST, National Institute of Standards and Technology. FIPS, Federal Information Processing Standards Publication. Retrieved December 1, 2005 from http://www.itl.nist.gov/fipspubs/.

United States Congress, "FISMA", "Federal Information Security Management Act of 2002", in Public Law 107-347, H. R. 2458-48, Title III, Washington: U.S. Government Printing Office, SEC 301-305.

U.S. Department of Homeland Security. FEMA, Federal Emergency Management Agency. Retrieved December 1, 2005 from http://www.fema.gov/.

GAO Accounting and Information Division. FISCAM, Federal Information System Controls Audit Manual Volume I: Financial Statement Audits, Washington: Government Accountability Office, 1999. Retrieved December 1, 2005 from http://www.gao.gov/special.pubs/ai12.19.6.pdf.

 

 

"Making Process Real", first published in 2002, was used to create a large portion of this content. Recent publications have added to these concepts.

PB&SP consulting engagements include Siemens, Raytheon, Journal Communications, MA/COM, CTC Communications, Fleet Bank, State Street Bank, Fidelity Investments, Sun Life Financial, Cincinnati Bell (Core), AON, IDC, OFFSITE Inc., Lucent Technologies, SanDisk, OCC, Financial Times Interactive Data and more.

In addition to on site engineering and project management, PB&SP provides daily and hourly web based COBIT®. ITIL® and ISO9001 & 17799 series compliance and Process training. Trainers have expertise and experience including recent certification by ISACA as COBIT® certified, and ISEB ITIL® foundation certified.

Many clients use our services for CISSP, CISA and ITIL® certification readiness.

PB&SP is able to work within any client schedule, to include national web conferencing, evening and weekend service delivery.

Sample:
COBIT® 3.0 quick domain reviewSample preparation summary View Sample
Training delivered to ITIL® organization ITsMF New England
itsmf

CobiT 4.0

(COBIT® content is registered and fully owned by ISACA. We are proud to assist in support of their mission.)