COBIT Checklist And Review - SDLCforms
COBIT Checklist and ReviewProject NameVersionYour Company NameCOBIT Checklist and ReviewDateConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 1 of 21
COBIT Checklist and ReviewProject NameVersionRevision HistoryDateVersionAuthorChangeCOPYRIGHT NOTICEConfidential – 2015 Documentation ConsultantsAll rights reserved. These materials are for internal use only. No part of these materials may bereproduced, published in any form or by any means, electronic or mechanical, including photocopy or anyinformation storage or retrieval system, nor may the materials be disclosed to third parties without the writtenauthorization of (Your Company Name).Confidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 2 of 21
COBIT Checklist and ReviewProject NameVersionTable of Contents1234Introduction .4COBIT Control Objectives .4COBIT Component Summary .5COBIT Processes .74.14.24.34.4Planning and Organization . 7Acquisition and Implementation . 12Delivery and Support . 15Monitoring . 205 Appendix .21Confidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 3 of 21
COBIT Checklist and ReviewProject NameVersionNote: Text displayed in blue italics is included to provide guidance to the author and should bedeleted before publishing the document. In any table, select and delete any blue line text; thenclick Home Styles and select “Table Text” to restore the cells to the default value.1IntroductionThe Sarbanes-Oxley Act, including COBIT (Control Objectives for Information and RelatedTechnology), provide for a standardized structure for Information Technology (IT) governance,accounting controls, and compliance.COBIT provides management and business process owners with an Information Technology controlmodel that helps to understand and manage the risks related with IT. COBIT helps link missing itemsbetween business risks, control needs, and technical issues.Note: Management should review the checklists and determine those areas where information andcontrols are required and whether current documentation is current or must be revised or developed.2COBIT Control ObjectivesCOBIT Control Objectives focuses on specific, detailed control objectives related with each IT process.For each of the 30 IT structure processes, there are detailed control objectives that align the overallstructure with objectives from primary sources comprising standards and regulations relating to IT. Itincludes statements of the desired results or objectives to be achieved by implementing specific controlprocedures within an IT activity and, thereby, provides a clear policy and good practice for IT controlthroughout the industry and worldwide.Control objectives provide a working document of specific and clear definitions of a set of controls toensure effectiveness, efficiency, and economy of resource utilization. For each process, detailed controlobjectives are identified as the minimum controls needed to be in place. There are 300 detailedcontrol objectives that provide an overview of the domain, process, and control objective relationships.Confidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 4 of 21
COBIT Checklist and ReviewProject NameVersion3COBIT Component SummaryCOBIT (Control Objectives for Information and Related Technology) is a complete structure formanaging Information Technology (IT) risk and control. It includes four domains, 30 IT processes, and300 detailed control objectives. It includes controls that address operational and complianceobjectives.DomainProcess TopicsPlan and Organize(IT Environment)IT Strategic PlanningInformation ArchitectureDetermine Technological DirectionIT Organization and RelationshipsManage the IT InvestmentCommunication of Management Aims and DirectionManagement of Human ResourcesCompliance of External RequirementsAssessment of RisksManage ProjectsManagement of QualityAcquire and Implement(Program Developmentand Program Change)Identify Automated SolutionsAcquire or Develop Application SoftwareAcquire Technology InfrastructureDevelop and Maintain Policies and ProceduresInstall and Test Application Software and Technology InfrastructureManage ChangesDeliver and Support(Computer Operationsand Access toPrograms and Data)Define and Manage Service LevelsManage Third-Party ServicesManage Performance and CapacityEnsure Continuous ServiceEnsure Systems SecurityIdentify and Allocate CostsEducate and Train UsersAssist and Advise CustomersManage the ConfigurationsManage Problems and IncidentsManage DataManage FacilitiesManage OperationsConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 5 of 21
COBIT Checklist and ReviewProject NameVersionMonitor and Evaluate(IT Environment)MonitoringAdequacy of Internal ControlsIndependent AssuranceInternal AuditThe following table includes COBIT domain components.ComponentsDescriptionControl EnvironmentThe control environment establishes the basis for internal control, createsthe “direction from the top,” and represents the corporate governancestructure. Issues raised in the control environment component apply allthrough the IT organization.Risk AssessmentRisk assessment provides for management identification and analysis ofsignificant risks to achieve preset objectives, which form the basis forshaping control activities. Risk assessment can take place at the companylevel or at the activity level (e.g., for a specific process or business unit).Control ActivitiesControl activities are the policies, procedures, and practices that ensurebusiness objectives are achieved and risk mitigation strategies arecompleted. Control activities address control objectives to alleviate theiridentified risks.Information andCommunicationOrganizational information is required to run the business and realize thecompany’s control objectives. Identification, management, andcommunication of this information represent a challenge to IT.MonitoringMonitoring includes the supervision of internal control by managementthrough continuous process review. There are two types of monitoringactivities: Continuous monitoring Separate evaluations.Confidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 6 of 21
COBIT Checklist and ReviewProject NameVersion4COBIT ProcessesThe following summary tables provide an indication, by IT process and domain, of the informationcriteria impacted by the high-level control objectives.4.1Planning and OrganizationThe Planning and Organization section includes the following topics: Define a Strategic IT PlanDefine the Information ArchitectureDetermine the Technological DirectionDefine the IT Organization and RelationshipsManage the IT InvestmentCommunicate Management Aims and DirectionManage Human ResourcesEnsure Compliance with External RequirementsAssess RisksManage ProjectsManage Quality.Confidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 7 of 21
COBIT Checklist and ReviewProject NameVersionCOBIT TopicsDocumentationRequired (Y/N)DocumentationUp-To-Date(Y/N)Define a Strategic IT Plan IT as Part of the Organization’s Long- and ShortRange Plan IT Long-Range Plan IT Long-Range Planning - Approach and Structure IT Long-Range Plan Changes Short-Range Planning for the Information ServicesFunction Assessment of Existing SystemsDefine the Information Architecture Information Architecture Model Corporate Data Dictionary and Data Syntax Rules Data Classification Scheme Security LevelsDetermine the Technological Direction Technological Infrastructure Planning Monitor Future Trends and Regulations Technological Infrastructure Contingency Hardware and Software Acquisition Plans Technology StandardsConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 8 of 21
COBIT Checklist and ReviewProject NameVersionDefine the IT Organization and Relationships The Information Services Function Planning orSteering Committee Organizational Placement of Information ServicesFunction Review of Organizational Achievements Roles and Responsibilities Responsibility for Quality Assurance Responsibility for Logical and Physical Security Ownership and Custodianship Data and System Ownership Supervision Segregation of Duties IT Staffing Job or Position Descriptions for InformationServices Function Staff Key IT Personnel Contracted Staff Procedures RelationshipsManage the IT Investment Annual Information Services Function OperatingBudget Cost and Benefit Monitoring Cost and Benefit JustificationCommunicate Management Aims and Direction Positive Information Control Environment Management's Responsibility for Policies Communication of Organization Policies Policy Implementation Resources Maintenance of Policies Compliance with Polices, Procedures, andStandards Quality Commitment Security and Internal Control Framework Policy Intellectual Property Rights Issue Specific Policies Communication of IT Security AwarenessConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 9 of 21
COBIT Checklist and ReviewProject NameVersionManage Human Resources Personnel Recruitment and Promotion Personnel Qualifications Personnel Training Cross-Training or Staff Back-up Personnel Clearance Procedures Employee Job Performance Evaluation Job Change and TerminationEnsure Compliance with External Requirements External Requirements Review Practices and Procedures for Complying withExternal Requirements Safety and Ergonomic Compliance Privacy, Intellectual Property, and Data Flow Electronic Commerce Compliance with Insurance ContractsAssess Risks Business Risk Assessment Risk Assessment Approach Risk Identification Risk Measurement Risk Action Plan Risk AcceptanceManage Projects Project Management Framework User Department Participation in Project Initiation Project Team Membership and Responsibilities Project Definition Project Approval Project Phase Approval Project Master Plan System Quality Assurance Plan Planning of Assurance Methods Formal Project Risk Management Test Plan Training Plan Post-Implementation Review PlanConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 10 of 21
COBIT Checklist and ReviewProject NameVersionManage Quality General Quality Plan Quality Assurance Approach Quality Assurance Planning Quality Assurance Review of Adherence to theInformation Services Function's Standards andProcedures System Development Life Cycle Methodology System Development Life Cycle Methodology forMajor Changes to Existing Technology Updating the System Development Life CycleMethodology Coordination and Communication Acquisition and Maintenance Framework for theTechnology Infrastructure Third-Party Relationships Program Documentation Standards Program Testing Standards System Testing Standards Parallel / Pilot Testing System Testing Documentation Quality Assurance Evaluation of Adherence toDevelopment Standards Quality Assurance Review of the Achievement ofInformation Services Function's Objectives Quality Metrics Reports of Quality Assurance ReviewsConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 11 of 21
COBIT Checklist and ReviewProject NameVersion4.2Acquisition and ImplementationThe Acquisition and Implementation section includes the following topics: Identify SolutionsAcquire and Maintain Application SoftwareAcquire and Maintain Technology ArchitectureDevelop and Maintain IT ProceduresInstall and Accredit SystemsManage Changes.COBIT TopicsDocumentationRequired (Y/N)DocumentationUp-To-Date(Y/N)Identify Solutions Definition of Information Requirements Formulation of Alternative Courses of Action Formulation of Acquisition Strategy Third-Party Service Requirements Technological Feasibility Study Economic Feasibility Study Information Architecture Risk Analysis Report Cost-Effective Security Controls Audit Trails Design Ergonomics Selection of System Software Procurement Control Software Product Acquisition Third-Party Software Maintenance Contract Application Programming Acceptance of Facilities Acceptance of TechnologyConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 12 of 21
COBIT Checklist and ReviewProject NameVersionAcquire and Maintain Application Software Design Methods Major Changes to Existing Systems Design Approval File Requirements Definition and Documentation Program Specifications Source Data Collection Design Input Requirements Definition and Documentation Definition of Interfaces User-Machine Interface Processing Requirements Definition andDocumentation Output Requirements Definition and Documentation Controllability Availability as Key Design Factor IT Integrity Provisions in Application ProgramSoftware Application Software Testing User Reference and Support Materials Re-Assessment of System DesignAcquire and Maintain Technology Architecture Assessment of New Hardware and Software Preventative Maintenance for Hardware System Software Security System Software Installation System Software Maintenance System Software Change ControlsDevelop and Maintain IT Procedures Future Operational Requirements and Service Levels User Procedures Manual Operations Manual Training MaterialsConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 13 of 21
COBIT Checklist and ReviewProject NameVersionInstall and Accredit Systems Training Application Software Performance Sizing Conversion Testing of Changes Parallel / Pilot Testing Criteria and Performance Final Acceptance Test Security Testing and Accreditation Operational Test Promotion to Production Evaluation of Meeting User Requirements Management's Post-Implementation ReviewManage Changes Change Request Initiation and Control Impact Assessment Control of Changes Documentation and Procedures Authorized Maintenance Software Release Policy Distribution of SoftwareConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 14 of 21
COBIT Checklist and ReviewProject NameVersion4.3Delivery and SupportThe Delivery and Support section includes the following topics:1Define Service Levels2Manage Third-Party Services3Manage Performance and Capacity4Ensure Continuous Service5Ensure Systems Security6Identify and Attribute Costs7Educate and Train Users8Assist and Advise IT Customers9Manage the Configuration10 Manage Problems and Incidents11 Manage Data12 Manage Facilities13 Manage Operations.COBIT TopicsDocumentationRequired (Y/N)DocumentationUp-To-Date (Y/N)Define Service Levels Service Level Agreement Framework Aspects of Service Level Agreements Performance Procedures Monitoring and Reporting Review of Service Level Agreements and Contracts Chargeable Items Service Improvement ProgramManage Third-Party Services Supplier Interfaces Owner Relationships Third-Party Contracts Third-Party Qualifications Outsourcing ContractsConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 15 of 21
COBIT Checklist and ReviewProject NameVersion Continuity of ServicesSecurity RelationshipsMonitoringManage Performance and Capacity Availability and Performance Requirements Availability Plan Monitoring and Reporting Modeling Tools Proactive Performance Management Workload Forecasting Capacity Management of Resources Resources Availability Resources ScheduleEnsure Continuous Service IT Continuity Framework IT Continuity Plan Strategy and Philosophy IT Continuity Plan Contents Minimizing IT Continuity Requirements Maintaining the IT Continuity Plan Testing the IT Continuity Plan IT Continuity Plan Training IT Continuity Plan Distribution User Department Alternative Processing Back-upProcedures Critical IT Resources Back-up Site and Hardware Wrap-up ProceduresEnsure Systems Security Manage Security Measures Identification, Authentication, and Access Security of Online Access to Data User Account Management Management Review of User Accounts User Control of User Accounts Security Surveillance Data Classification Central Identification and Access RightsManagementConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 16 of 21
COBIT Checklist and ReviewProject NameVersion Violation and Security Activity ReportsIncident HandlingRe-AccreditationCounterparty TrustTransaction AuthorizationNon-RepudiationTrusted PathProtection of Security FunctionsCryptographic Key ManagementMalicious Software Prevention, Detection andCorrectionFirewall Architectures and Connections with PublicNetworksProtection of Electronic ValueIdentify and Attribute Costs Chargeable Items Costing Procedures User Billing and Chargeback ProceduresEducate and Train Users Identification of Training Needs Training Organization Security Principles and Awareness TrainingAssist and Advise IT Customers Help Desk Registration of Customer Queries Customer Query Escalation Monitoring of Clearance Trend Analysis and ReportingManage the Configuration Configuration Recording Configuration Baseline Status Accounting Configuration Control Unauthorized Software Software StorageManage Problems and Incidents Problem Management System Problem EscalationConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 17 of 21
COBIT Checklist and ReviewProject NameVersion Problem Tracking and Audit TrailManage Data Data Preparation Procedures Source Document Authorization Procedures Source Document Data Collection Source Document Error Handling Source Document Retention Data Input Authorization Procedures Accuracy, Completeness, and AuthorizationChecks Data Input Error Handling Data Processing Integrity Data Processing Validation and Editing Data Processing Error Handling Output Handling and Retention Output Distribution Output Balancing and Reconciliation Output Review and Error Handling Security Provision for Output Reports Protection of Sensitive Information duringTransmission and Transport Protection of Disposed Sensitive Information Storage Management Retention Periods and Storage Terms Media Library Management System Media Library Management Responsibilities Back-up and Restoration Back-up Jobs Back-up Storage Archiving Protection of Sensitive Messages Authentication and Integrity Electronic Transaction Integrity Continued Integrity of Stored DataManage Facilities Physical Security Low Profile of the IT Site Visitor EscortConfidential – 2015 Documentation Consultants (www.SDLCforms.com)Document: 2650Page 18 of 21
COBIT Checklist and ReviewProject NameVersion Personnel Health and SafetyProtection against Environmental FactorsUninterruptible Power SupplyManage Opera
Confidential – 2015 Documentation Consultants (www.SDLCforms.com) Document: 2650 Page 10 of 21 Manage Human Resources Personnel Recruitment and Promotion Personnel Qualifications Personnel Training Cross-Training or Staff Back-up Personnel Clearance Procedures Employee Job Performance Evaluation
– COBIT 5: Enabling Information COBIT Online Replacement COBIT Assessment Programme: – Process Assessment Model (PAM): Using COBIT 5 – Assessor Guide: Using COBIT 5 – Self-assessment Guide: Using COBIT 5 COBIT 5 – Vendor Management COBIT 5 – Configuration Management COBIT 5 Future and Supporting Products
COBIT 5: Enabling Information COBIT 5: Enabling Processes Other Enabler Guides COBIT 5 for Assurance COBIT 5 for Information Security COBIT 5 for Risk Other Professional Guides COBIT 5 Principles Source: COBIT 5, figure 2 1. Meeting Stakeholder Needs 5. Separating Governance From Management 4. Enabling a Holistic Approach 3. Applying .
The COBIT 5 Publication Suite contains all the core ISACA manuals: COBIT 5 Manual, COBIT 5 Enabling Process and COBIT 5 Implementation. COBIT 5 for Information Security In this manual you will be shown how the relevant frameworks, best practices and standards for information security can be adapted to form a cohesive framework using COBIT 5.
OTHER COBIT 5 RESOURCES COBIT 5: Enabling Information (Just Released) Risk Scenarios Using COBIT 5 for Risk (February 2014) Controls and Assurance in the Cloud Using COBIT 5 (April 2014) IT Control Objectives for Sarbanes-Oxley (update, June 2014) Vendor Management Using COBIT 5 Configuration Management Using COBIT 5
5 1st Described in COBIT Process Assessment Model (PAM): Using COBIT 4.1. PAM brings together ISO and ISACA. COBIT 4.1 was adapted into ISO 15504 compliant Process Reference Model for COBIT 4.1 PAM COBIT 5 Enabling Processes designed for ISO 15504 compliance COBIT Process Assessment ModelFile Size: 1MBPage Count: 58
5. Cobit framework, evolution, concept (Cobit 5 Business Framework, Cobit 5 Enabling Processes, Cobit 2019) 6. Cobit support of IS audit/assurance (audit process, Cobit 5 for Assurance, comparison of different frameworks) 7. Process maturity and capability assessment (CMMI, ISO 15504, Cobit 5 assessment program 8.
The COBIT Framework and the components of COBIT (Control Objectives, Control Practices, Management Guidelines, Assurance Guide). COBIT 5 Principles COBIT 5 Enablers . Day 2 The relationship between COBIT and other standards and best practices including ITIL,
Welcome to COBIT 5! The Basics of COBIT 5 History of COBIT COBIT, at origination, was an abbreviation for Control Objectives for Information and related Technology. Nowadays it is simply known as COBIT. Originally conceptualized with a focus on Auditing in the area of Information Technology in 1996, its scope has evolved over the years
