Transcription
The IT Governance Institute is pleased to offeryou this complimentary download of COBIT .COBIT provides good practices for the management of IT processes in a manageable and logicalstructure, meeting the multiple needs of enterprise management by bridging the gaps between businessrisks, technical issues, control needs and performance measurement requirements. If you believe as we do,that COBIT enables the development of clear policy and good practices for IT control throughout yourorganisation, we invite you to support ongoing COBIT research and development.There are two ways in which you may express your support: (1) Purchase COBIT through the Association(ISACA) Bookstore (please see the following pages for order form and Association membership application.Association members are able to purchase COBIT at a significant discount); (2) Make a generous donation tothe Information Systems Audit and Control Foundation, which sponsors the IT Governance Institute.The complete COBIT package consists of all six publications, an ASCII text diskette, four COBITimplementation/orientation Microsoft PowerPoint presentations and a CD-ROM.A brief overview of each component is provided below. Thank you for your interest and support of COBIT!For additional information about the IT Governance Institute visit www.ITgovernance.orgManagement GuidelinesControl ObjectivesTo ensure a successful enterprise, you must effectively manage theunion between business processes and information systems. Thenew Management Guidelines is composed of Maturity Models,Critical Success Factors, Key Goal Indicators and KeyPerformance Indicators. These Management Guidelines will helpanswer the questions of immediate concern to all those who have astake in enterprise success.The key to maintaining profitability in a technologically changingenvironment is how well you maintain control. COBIT’s ControlObjectives provides the critical insight needed to delineate a clearpolicy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved byimplementing the 318 specific, detailed control objectivesthroughout the 34 high-level control objectives.Executive SummaryImplementation Tool SetSound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed seniorexecutives and managers, the COBIT Executive Summary consistsof an Executive Overview which explains COBIT’s key conceptsand principles.An Implementation Tool Set, which contains ManagementAwareness and IT Control Diagnostics, Implementation Guide,frequently asked questions, case studies from organizations currently using COBIT and slide presentations that can be used tointroduce COBIT into organizations. The tool set is designed tofacilitate the implementation of COBIT, relate lessons learned fromorganizations that quickly and successfully applied COBIT in theirwork environments and assist management in choosing implementation options.FrameworkA successful organization is built on a solid framework of dataand information. The Framework explains how IT processesdeliver the information that the business needs to achieve itsobjectives. This delivery is controlled through 34 high-levelcontrol objectives, one for each IT process, contained in thefour domains. The Framework identifies which of the seveninformation criteria (effectiveness, efficiency, confidentiality,integrity, availability, compliance and reliability), as well aswhich IT resources (people, applications, technology, facilitiesand data) are important for the IT processes to fully supportthe business objective.Audit GuidelinesAnalyze, assess, interpret, react, implement. To achieve yourdesired goals and objectives you must constantly and consistentlyaudit your procedures. Audit Guidelines outlines and suggestsactual activities to be performed corresponding to each of the 34high-level IT control objectives, while substantiating the risk ofcontrol objectives not being met.CD-ROMThe CD-ROM, which contains all of COBIT, is published as aFolio infobase. The material is accessed using Folio Views ,which is a high-performance, information retrieval software tool.Access to COBIT’s text and graphics is now easier than ever, withflexible keyword searching and built-in index links (optional purchase).A network version (multi-user) of COBIT 3rd Edition will beavailable. It will be compatible with Microsoft Windows NT/2000and Novell NetWare environments. Contact the ISACA Bookstorefor pricing and availability.See Order Form, Donation Information and MembershipApplication on the following pages.We invite your comments and suggestions regarding COBIT. Please visit www.isaca.org/cobitinput.htm
ISACF Contribution FormContributor:Contribution amount (US ):Address: 25 (donor) 100 (Silver) 500 (Platinum)Other US Check enclosed payable in US to ISACFCity State/ProvinceCharge my: 250 (Gold)VISAMasterCardAmerican ExpressDiners ClubZip/Postal Code CountryCard number Exp. DateRemitted by:Name of cardholder:Phone:Signature of cardholder:e-mail:Complete card billing address if different from address on leftFor information on the Foundation andcontribution benefits see www.isaca.org/finfo.htmU.S. Tax ID number: 95-3080691Fax your credit card contribution to ISACF at 1.847.253.1443, or mail your contribution to:ISACF, 135 S. LaSalle Street, Department 1055, Chicago, IL 60674-1055 USADirect any questions to Scott Artman at 1.847.253.1545, ext. 459 or finance@isaca.orgThank you for supporting COBIT!Recent ISACF Research ProjectsIn Partnership withe-Commerce SecurityA Global Status Report, ISECMember - 35 Non-member - 50Control Objectives forNet Centric Technology, NCCMember - 90 Non-member - 130Digital SignaturesSecurity & Controls, ISDSMember - 35 Non-member - 50e-Commerce Securitye-Commerce SecurityEnterprise Best Practices, 2-ECMember - 30 Non-member - 40Trading Partner Identification,Registration and Enrollment, TRS-1Member - 35 Non-member - 50For additional information on these publications and others offered through the Bookstore, please visit www.isaca.org/pubs1.htm
Pricing and Order FormCODECB3SCB3SCComplete COBIT 3rd Edition ISACA Members 70 (text only) 115 (text and CD-ROM)Non-Members 225 (text and CD-ROM)COBIT 2nd Edition purchasers - see www.isaca.org/3upgrade.htm for special upgrade pricing.Individual components are also available for purchase:CODEISACA MembersExecutive SummaryCB3E 3Management GuidelinesCB3M 40FrameworkCB3F 15Control ObjectivesCB3C 25Audit GuidelinesCB3A 50Implementation Tool SetCB3I 15All prices are US dollars. Shipping is additional to all prices.Non-Members 3 50 20 30 155 20Name DateISACA Member: Yes No Member NumberIf an ISACA Member, is this a change of address? Yes NoCompany NameAddress: Home CompanyCity State/Province Country Zip/Mail CodePhone Number () Fax Number ()E-mail Address Special Shipping Instructions or RemarksCodeTitle/ItemQuantityAll purchases are final.All prices are subject to change.Unit PriceTotalSubtotalIllinois (USA) residents, add 8.25% sales tax, orTexas (USA) residents, add 6.25% sales taxShipping and Handling – see chart belowTOTALPAYMENT INFORMATION – PREPAYMENT REQUIRED Payment enclosed. Check payable in U.S. dollars, drawn on U.S. bank, payable to the Information Systems Audit and Control Association. Charge to VISA MasterCard American Express Diners Club(Note: All payments by credit card will be processed in U.S. Dollars)Account # Exp. DatePrint Cardholder Name Signature of CardholderCardholder Billing Address if different than aboveShipping and Handling RatesFor orders totalingUp to US 30US 30.01 - US 50US 50.01 - US 80US 80.01 - US 150Over US 150Please send me information on:Outside USA and Canada 7 12 17 2215% of total Association membership CertificationWithin USA and Canada 4 6 8 1010% of total Conferences Seminars Research ProjectsISACA BOOKSTORE135 SOUTH LASALLE, DEPARTMENT 1055, CHICAGO, IL 60674-1055 USATELEPHONE: 1.847.253.1545, EXT. 401 FAX: 1.847.253.1443 E-MAIL: bookstore@isaca.orgWEB SITE: www.isaca.org/pubs1.htmPDF
Please complete both sidesU.S. Federal I.D. No. HIP APPLICATIONDate MR. MS. MRS. MISS OTHERMONTH/DAY/YEARNameFIRSTMIDDLELAST/FAMILYPRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATEResidence addressSTREETCITYSTATE/PROVINCE/COUNTRYResidence phonePOSTAL CODE/ZIPResidence facsimileAREA/COUNTRY CODE AND NUMBERAREA/COUNTRY CODE AND NUMBERCompany nameBusiness addressSTREETCITYBusiness phoneSTATE/PROVINCE/COUNTRYBusiness facsimileAREA/COUNTRY CODE AND NUMBERE-mailSend mail to Home BusinessAREA/COUNTRY CODE AND NUMBERForm of Membership requested Chapter Number (see reverse)Member at large (no chapter within 50 miles/80 km)Student (must be verified as full-time)Retired (no longer seeking employment)Current field of employment (check one)1 Financial2 Banking3 Insurance4 Transportation5 Retail & Wholesale6 Government/National7 Government/State/Local8 Consulting9 Education/Student10 Education/Instructor11 Public Accounting12 Manufacturing13 Mining/Construction/Petroleum14 Utilities15 Other Service Industry16 Law17 Health Care99 OtherDate of BirthMONTH/DAY/YEARPayment due Association duesOR student/retired dues ( 55 US) Chapter dues (see the following page) New Member processing feePLEASE PAY THIS TOTAL I do not want to be included ona mailing list, other than that forAssociation mailings.How did you hear about ISACA?12345 Friend/Co-workerEmployerInternet SearchIS Control JournalOther Publication6789 Local ChapterCISA ProgramDirect MailEducationalEventLevel of education achievedWork experience(indicate degree achieved, or number of years ofuniversity education if degree not obtained)(check the number of years of InformationSystems work experience)1 2 3 4 5 6 One year or less 7 Two years8 Three years9 Four years10 Five years99 Six years or moreASBS/BAMS/MBA/MastersPh.D.Other1 No experience2 1-3 years3 4-7 years12Certifications obtained (other than CISA) 341 CPA7 FCA52 CA8 CFE63 CIA9 MA74 CBA10 FCPA85 CCP11 CFSA96 CSP12 CISSP99 Other 1011121314151699 110.00 (US) (US) (US) 30.00 (US)* (US)* Membership dues consist of Association dues, Chapter dues and New Memberprocessing fee. (Processing fee does not apply to Student/Retired Members.)Method of payment Check payable in U.S. dollars, drawn on U.S. bank Send invoice** MasterCard VISA American Express Diners ClubAll payments by credit card will be processed in US ’s** Applications cannot be processed until dues payment is received.ACCT #Print Name of CardholderExpiration DateMONTH/DAY/YEARSignatureCardholder billing address if different than address provided above:PDFPOSTAL CODE/ZIP4 8-9 years5 10-13 years6 14 years or moreCurrent professional activity (check one) CEO CFO CIO/IS Director Audit Director/General Auditor IS Security Director IS Audit Manager IS Security Manager IS Manager IS Auditor External Audit Partner/Manager External Auditor Internal Auditor IS Security Staff IS Consultant IS Vendor/Supplier IS Educator/Student OtherBy accepting membership to the Information Systems Audit and ControlAssociation, members agree to hold the Association and the Information SystemsAudit and Control Foundation, its officers, directors, agents, trustees, andemployees, harmless for all acts or failures to act while carrying out the purposeof the Association and the Foundation as set forth in its respective bylaws.Initial payment entitles New Members to membership beginning the first day ofthe month following the date payment is received by International Headquartersthrough the end of that year. No rebate of dues is available upon early resignationof membership.Contributions or gifts to the Information Systems Control Association are nottax-deductible as charitable contributions in the United States. However, they maybe tax-deductible as ordinary and necessary business expenses.Membership dues allocated to a 1-year subscription to the IS Control Journal areas follows: 45 for U.S. Members, 60 for non-U.S. members. This amount isnon-deductible from dues.Make checks payable to:Information Systems Audit and Control AssociationMail your application and check to:Information Systems Audit and Control Association135 S. LaSalle, Dept. 1055Chicago, IL 60674-1055 USAPhone: 1.847.253.1545 x470 or x405Fax: 1.847.253.1443
U.S. dollar amounts listed below are for local Chapter dues,and are subject to change without notice. Please include theappropriate amount with your remittance.ChapterNameChapterNumber DuesASIAHong KongBangalore, IndiaCalcuttaCoimbatore, IndiaDelhi, IndiaHyderabad, IndiaMadras, India (Chennai)Mumbai, IndiaPune, IndiaIndonesiaNagoya, JapanOsaka, JapanTokyo, JapanKoreaMalaysiaMuscat, OmanKarachi, PakistanManila, PhilippinesJeddah, Saudi ArabiaRiyadh, Saudi ArabiaSingaporeSri LankaTaiwanBangkok, ThailandUAE64 35138 15165 155 140 10164 1799 5145 20159 17123 118 103 89 180107 3093 10167 148 12.50136 25163 0154 070 10141 15142 35109 9150 10ChapterNameNetherlandsLagos, NigeriaOslo, NorwayWarsaw, PolandSloveniaSlovenskoSouth AfricaMadrid, SpainSwedenSwitzerlandLondon, UKCentral UKNorthern Contact the chapter in your area or the International Officefor information on chapter dues if the amount is not listedbelow. Additional chapter information may be found atwww.isaca.org/chap1.htmDues 30 20 40 0 50 40 50 45 35 88 35 50NORTH AMERICACanadaCalgary, ABEdmonton, ABVancouver, BCVictoria, BCWinnipeg, MBNova ScotiaOttawa Valley, ONToronto, ONMontreal, PQQuebec City, PQ121131251007210532213691 0 25 15 0 15 0 10 25 15 35ChapterChapterNameNumber DuesNew York Metropolitan 10 50Western New York46 30(Buffalo)Harrisburg, PALehigh Valley45122 30 35061305 40 20 30Southeastern United StatesNorth Alabama (Birmingham) 65Jacksonville, FL58Central Florida (Orlando) 67South Florida (Miami)33West Florida (Tampa)41Atlanta, GA39Charlotte, NC51Research Triangle59 30 30 30 40 35 30 35 25Buenos Aires, ArgentinaMendoza, ArgentinaSão Paulo, BrazilSantiago de ChileBogota, ColombiaSan Jose, Costa RicaMerida, Yucatan, MexicoMexico City, MexicoMonterrey, MexicoPanamaLima, PeruPuerto RicoMontevideo, UruguayVenezuela124 150144 120166 25135 40126 5031 33101 5014 6580 094 20146 086 30133 113 EUROPE/AFRICAAustriaBelux157143 50 40(Belgium and Luxembourg)Czech RepublicDenmarkEstonianFinlandParis, FranceGermanAthens, GreeceBudapest, HungaryIrishTel-Aviv, IsraelMilano, ItalyKenyaLatvia153 11096 162 10115 7075 104 80134 10125 50156 3540 43 72158 40139 10IslandsBermudaTrinidad & Tobago147106 0 25(Raleigh, NC)Piedmont/Triad128 305448102 30 45 4522 30(Winston-Salem, NC)Greenville, SCMemphis, TNMiddle Tennessee(Nashville)Southwestern United StatesCentral Arkansas82 60(Little Rock)Midwestern United StatesChicago, IL02Illini (Springfield, IL)77Central Indiana56Central Mississippi 50 30 25(Indianapolis)Michiana (South Bend, IN) 127Iowa (Des Moines)110Kentuckiana (Louisville, KY) 37Detroit, MI08Western Michigan38 25 25 30 35 25(Grand Rapids)Minnesota (Minneapolis)Omaha, NECentral Ohio (Columbus)Greater Cincinnati, OHNortheast Ohio (Cleveland)Kettle Moraine, WI072327032657 30 30 25 20 30 25Northeastern United StatesGreater Hartford, CT28 35(Milwaukee)Central Maryland16124 25New England (Boston, MA) 18New Jersey (Newark)30Central New York29 30 40 30(Baltimore)Denver, COGreater Kansas City, KSBaton Rouge, LAGreater New Orleans, LASt. Louis, MONew Mexico (Albuquerque)Central Oklahoma (OK City)Tulsa, OKAustin, TXGreater Houston Area, TXNorth Texas (Dallas)San Antonio/So. Texas168785611183493420091281 35 25 25 20 25 25 30 25 25 40 30 25Western United StatesPhoenix, AZ53Los Angeles, CA01Orange County, CA79 30 25 30Sacramento, CASan Francisco, CASan Diego, CASilicon Valley, CA76151962 20 45 30 257142 30 30(Sunnyvale)Hawaii (Honolulu)Boise, ID(Syracuse)Hudson Valley, NY(Albany)120 25(Jackson)(Anaheim)(Southern New England) 0(Portland)Utah (Salt Lake City)04Mt. Rainier, WA (Olympia) 129Puget Sound, WA (Seattle) 35 30 20 35(Allentown, PA)Philadelphia, PAPittsburgh, PANational Capital Area, DCVirginia (Richmond)CENTRAL/SOUTH AMERICAChapterChapterNameNumber DuesWillamette Valley, OR50 30 Call Chapter for informationOCEANIAAdelaide, Australia68Brisbane, Australia44Canberra, Australia92Melbourne, Australia47Perth, Australia63Sydney, Australia17Auckland, New Zealand 84Wellington, New Zealand 73Papua New Guinea152 0 16 30 30 5 30 24 22 0To receive your copy of theInformation Systems Control Journal,please completethe following subscriberinformation:Size of Organization(at your primary place of business):➀ Fewer than 50 employees➁ 50-100 employess➂ 101-500 employees➃ More than 500 employeesWhat is the size of yourprofessional audit staff?(local office)➀ 1 individual➁ 2-5 individuals➂ 6-10 individuals➃ 11-25 individuals➄ More than 25 individualsYour level of purchasing authority:➀ Recommend Products/Services➁ Approve Purchase➂ Recommend and ApprovePurchaseEducation courses attendedannually (check one)➀ None➁ 1➂ 2-3➃ 4-5➄ More than 5Conferences attended annually(check one)➀ None➁ 1➂ 2-3➃ 4-5➄ More than 5Primary reason for Joining theAssociation(check one)➀ Discounts on Associationproducts and services➁ Subscription to IS Control Journal➂ Professional Advancement/Certification➃ Access to Research, Publications,and Education99 Other
Information Systems Audit and Control Association proud sponsor of the What does the Certified Information SystemsAuditor credential mean to you?As an EmployerAs an IT ProfessionalBy hiring or retaining the services of a CISA, anorganization has invested in a professional who has:Earning the CISA designation helps assure a positivereputation as a qualified IS audit, control and/orsecurity professional, and because the CISA programcertifies individuals who demonstrate proficiency intoday’s most sought-after skills, employers prefer tohire and retain those who achieve and maintain theirdesignation. Distinguished himself/herself from other industryprofessionals Followed a learning path to demonstrate ITassurance knowledge and skill Committed to maintaining skills through futureprofessional developmentFor more than twenty years organizations have turnedto professionals who have earned a CISA designation.CISAs have the proven ability to perform reviews inaccordance with generally accepted standards andguidelines to ensure that the organization’s information technology and business systems are adequatelycontrolled, monitored and assessed.Although certification may not be mandatory for youat this time, a growing number of organizations arerecommending employees to become certified. Tohelp ensure your success in the global marketplace, itis vital that you select a certification program basedon universally accepted technical practices. CISAdelivers such a program. CISA is recognized worldwide, by all industries, as the preferred designationfor IS audit, control and security professionals.Requirements for CISA certificationSee www.isaca.org/cert1.htm for specific details.1. Successful completion of the CISA exam. The exam is offered annually at nearly 200 sites around the world in tenlanguages during the month of June.2. Satisfy the work experience requirement pertaining to professional information systems (IS) auditing, control orsecurity activity. Education waivers are available. See the CISA Bulletin of Information for details(www.isaca.org/exam1.htm).3. Adhere to the Information Systems Audit and Control Association’s Code of Professional Ethics(www.isaca.org/standard/code2.htm)4. Comply with annual continuing education requirements (www.isaca.org/cisacep1.htm)Although COBIT is not specifically tested on the CISA examination, the COBIT control objectives or processes do reflectthe tasks identified in the CISA Practice Analysis. As such, a thorough review of COBIT is recommended for candidatepreparation for the CISA examination.For further information, please contact the Certification Department at certification@isaca.orgor by phone at 1.847.253.1545 ext. 474 or 471.
COBIT3rd EditionControl ObjectivesJuly 2000Released by the COBIT Steering Committee and the IT Governance InstituteTMThe COBIT Mission:To research, develop, publicise and promote an authoritative, up-to-date,international set of generally accepted information technology control objectivesfor day-to-day use by business managers and auditors.
AMERICAN AZILBRITISH VIRGIN ISLANDSCANADACAYMAN ISLANDSCHILECHINACOLOMBIACOSTA RICACROATIACURACAOCYPRUSCZECH REPUBLICDENMARKDOMINICAN REPUBLICECUADOREGYPTEL SALVADORESTONIAFAEROE EMALAHONDURASHONG TALYIVORY NFORMATION SYSTEMS AUDIT ANDCONTROL ASSOCIATIONA Single International Sourcefor Information Technology ControlsThe Information Systems Audit and Its professional education programmeControl Association is a leading globaloffers technical and managementprofessional organisation representingconferences on five continents, as wellindividuals in more than 100 countriesas seminars worldwide to helpand comprising all levels of IT —professionals everywhere receive high-executive, management, middlequality continuing education.management and practitioner. The Its technical publishing area providesAssociation is uniquely positioned toreferences and professionalfulfil the role of a central, harmonisingdevelopment materials to augment itssource of IT control practice standards fordistinguished selection of programmesthe world over. Its strategic alliances withand services.other groups in the financial, accounting,auditing and IT professions are ensuringThe Information Systems Audit andan unparalleled level of integration andControl Association was formed in 1969commitment by business process owners.to meet the unique, diverse and hightechnology needs of the burgeoning ITAssociation Programmesfield. In an industry in which progress isand Servicesmeasured in nano-seconds, ISACA hasThe Association’s services and programmesmoved with agility and speed to bridgehave earned distinction by establishingthe needs of the international businessthe highest levels of excellence incommunity and the IT controls profession.certification, standards, professionaleducation and technical publishing.For More Information Its certification programme (the CertifiedTo receive additional information, youInformation Systems Auditor ) is themay telephone ( 1.847.253.1545), sendonly global designation throughout thean e-mail (research@isaca.org) or visitIT audit and control community.these web sites:TM Its standards activities establish thequality baseline by which other ITaudit and control activities TAMALAWIMAURITIUSMEXICONAMIBIANEPALNETHERLANDSNEW GUINEANEW AGUAYPERUPHILIPPINESPOLANDPORTUGALQATARRUSSIASAUDI ARABIASCOTLANDSEYCHELLESSINGAPORESLOVAK REPUBLICSLOVENIASOUTH AFRICASPAINSRI LANKAST. KITTSST. NDTRINIDAD & TOBAGOTUNISIATURKEYUGANDAUNITED ARAB EMIRATESUNITED KINGDOMUNITED ZIMBABWE
CONTROL OBJECTIVESTABLE OF CONTENTSAcknowledgments4Executive Overview5-7The COBIT Framework8-12The Framework’s Principles13-17COBIT History and Background18-19Control Objectives—Summary Table20The Control Objectives’ Principles21Control Objectives Navigation Overview22Control Objective Relationships:Domain, Processes and Control ObjectivesControl Objectives23-2729Planning and Organisation .31-68Acquisition and Implementation .69-88Delivery and Support .89-124Monitoring.125-134Appendix IIT Governance Management Guideline .137-140Appendix IICOBIT Project Description.141DisclaimerThe Information Systems Audit and Control Foundation, ITGovernance Institute and the sponsors of COBIT: Control Objectivesfor Information and related Technology have designed and createdthe publications entitled Executive Summary, Framework, ControlObjectives, Management Guidelines, Audit Guidelines andImplementation Tool Set (collectively, the “Works”) primarily as aneducational resource for controls professionals. The InformationSystems Audit and Control Foundation, IT Governance Institute andthe sponsors make no claim that use of any of the Works will assurea successful outcome. The Works should not be considered inclusiveof any proper procedures and tests or exclusive of other proceduresand tests that are reasonably directed to obtaining the same results.In determining the propriety of any specific procedure or test, thecontrols professional should apply his or her own professional judgment to the specific control circumstances presented by the particularsystems or IT environment.Disclosure and Copyright NoticeCopyright 1996, 1998, 2000 by the Information Systems Audit andControl Foundation (ISACF). Reproduction for commercial purpose isnot permitted without ISACF’s prior written permission. Permission ishereby granted to use and copy the Executive Summary, Framework,Control Objectives, Management Guidelines and Implementation ToolSet for non-commercial, internal use, including storage in a retrievalsystem and transmission by any means including, electronic, mechanical, recording or otherwise. All copies of the Executive Summary,Framework, Control Objectives, Management Guidelines andImplementation Tool Set must include the following copyright noticeand acknowledgment: “Copyright 1996, 1998, 2000 InformationSystems Audit and Control Foundation. Reprinted with the permissionof the Information Systems Audit and Control Foundation and ITGovernance Institute.”The Audit Guidelines may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying,recording or otherwise), except with ISACF’s prior written authorization; provided, however, that the Audit Guidelines may be usedfor internal non-commercial purposes only. Except as stated herein,no other right or permission is granted with respect to this work. Allrights in this work are reserved.Appendix IIICOBIT Primary Reference Material.142-143Appendix IVGlossary of Terms.144Index145-148Information Systems Audit and Control FoundationIT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: 1.847.253.1545Fax: 1.847.253.1443E-mail:research@isaca.orgWeb sites: 17-2 (Control Objectives)1-893209-13-X (Complete 6 book set with CD-ROM)Printed in the United States of America.IT GOVERNANCE INSTITUTE3
ACKNOWLEDGMENTSCOBIT STEERING COMMITTEEErik Guldentops, S.W.I.F.T. sc, BelgiumJohn Lainhart, PricewaterhouseCoopers, USAEddy Schuermans, PricewaterhouseCoopers, BelgiumJohn Beveridge, State Auditor’s Office, Massachusetts, USAMichael Donahue, PricewaterhouseCoopers, USAGary Hardy, Arthur Andersen, United KingdomRonald Saull, Great-West Life Assurance, London Life and Investors Group, CanadaMark Stanley, Sun America Inc., USASPECIAL THANKS to the ISACA Boston and National Capital Area Chapters fortheir contributions to the COBIT Control Objectives.SPECIAL THANKS to the members of the Board of the Information Systems Auditand Control Association and Trustees of the Information Systems Audit andControl Foundation, headed by International President Paul Williams, for theircontinuing and unwavering support of COBIT.4IT GOVERNANCE INSTITUTE
CONTROL OBJECTIVESEXECUTIVE OVERVIEWritically important to the survival and success of anCorganisation is effective management of information andrelated Information Technology (IT). In this global information society—where information travels through cyberspacewithout the constraints of time, distance and speed—thiscriticality arises from the: Increasing dependence on information and the systemsthat deliver this information Increasing vulnerabilities and a wide spectrum ofthreats, such as cyber threats and information warfare Scale and cost of the current and future investments ininformation and information systems Potential for technologies to dramatically change organisations and business practices, create new opportunitiesand reduce costsacquiring and implementing, delivering and supporting, andmonitoring IT performance to ensure that the enterprise’sinformation and related technology support its businessobjectives. IT governance thus enables the enterprise to takefull advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitiveadvantage.IT GOVERNANCEA structure of relationships and processes to directand control the enterprise in order to achieve theenterprise’s goals by adding value w
Framework A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains.
