COBIT: introduction to international information security audit specifications

The full name of COBIT is Control Objectives for Information and related Technology. ISACA (Information Systems Audit and Control Association) is an organization in charge of information technology security and control reference architecture in the United States) the industry standards published in 1996 have been updated to the third edition. They are internationally recognized as the most advanced and authoritative standards for security and information technology management and control. COBIT summarizes 18 sources related to the world and forms a set of rules dedicated to enterprise operators, users, IT experts, MIS auditors and security control personnel to strengthen and evaluate it management and control.

The main purpose of the COBIT architecture is to provide a good example of clear policies and development on it control in the industry. There are 34 It programs in this architecture, divided into four areas: po (Planning & Organization), AI (Acquisition & implementation), DS (delivery and support), and monitoring, all programs contain 302 control targets, all provide the best implementation guidance.

The following is a classification introduction:

1. management Guidelines: Includes maturity models to help determine whether each control phase and expected level complies with industrial specifications; critical success factors) it is used to identify the most important activities to achieve control in IT programs; key goal indicators (key performance indicators) to define the target performance level; and key performance indicators (key performance indicators) it is used to measure whether the IT control program can achieve the goal. These guidelines aim to ensure that enterprises can successfully and effectively integrate their business processes and information systems.

2. executive summary: sound enterprise decisions are based on real-time, appropriate, and brief information, here, we provide an overview of key COBIT concepts and principles for senior managers who have to compete in seconds, and a better understanding of the four fields of COBIT details and the outline architecture of 34 It programs.

3. framework: a successful organization is built on a robust architecture of data and knowledge. Therefore, this section describes the 34 it high-level control objectives of COBIT, it also points out the enterprise's requirements for information standards (effects, efficiency, privacy, authenticity, availability, commitment, reliability) and IT resources (human, application, technology, capability and data) the requirement is how to closely integrate into various control objectives.

4. Audit Guidelines (audit guidelines): To achieve the expected goals, all procedures must be continuously and indeed audited. Here, we recommend that you audit 34 it high-level control objectives to assist auditors of Information Systems in checking that it programs meet 302 of individual control objectives, to provide management assurance and improvement suggestions.

5. control objectives: the key to maintaining profitability in a technology-changing environment lies in maintaining good control. COBIT's control goals provide it control with a key strategy to clarify policies and provide good implementation guidance, including a detailed description of 302 individual control goals used to achieve the expected goals or results.

6. implementation tool set: includes management awareness, it control diagnostics, and Implementation Guide), FAQ set (FAQs), case study by using COBIT Organization (case studies), and slide resentations ). These new tool groups are mainly designed to make COBIT applications easier, enable organizations to quickly and successfully learn how to apply COBIT in the work environment from teaching materials, and enable the leadership to think about how COBIT applies to enterprises. the importance of the target. The above is a preliminary concept of COBIT. Next we will introduce its four major fields and 34it programs:

I. Po (Planning & Organization)

1. Define a strategic IT plan

2. define the structure of information

3. determine the technical direction

4. Define it Organizations and Their Relationships

5. manage investment in it

6. Communication of management objectives and directions

7. Manage Human Resources

8. Ensure compliance with external conditions

9. Asset risks

10. Project Management

11. Quality Management

2. AI (Acquisition & Implementation)

1. Identify the solution

2. acquisition and maintenance of Application Software

3. Technical Architecture acquisition and maintenance

4. It program development and maintenance

5. system installation and confirmation

6. Change management

3. DS (delivery and support)

1. Define service levels

2. third party service provision Management

3. Performance and Capability Management

4. Continuous Service Assurance

5. Ensure system security

6. Cost Confirmation and allocation

7. User Education and Training

8. Assistance and suggestions to it customers

9. Manage the type settings

10. Management of problems and incidents

11. Data Management

12. Management of related facilities

13. Operation Management

4. m (Monitoring)

1. Process Monitoring

2. Assessment of Internal Control suitability

3. Autonomous assurance

4. Provision of autonomous Audit

COBIT can be applied to all enterprise information systems, including personal computers, small computers, large hosts, and distributed computing environments, it is built on the idea that an IT resource must be managed by a set of naturally categorized programs to provide appropriate and reliable information for the Organization to achieve its goals. Currently, ISACA provides professional certification for COBIT Information Control professionals. certified experts have been assisting in performing computer security control audits in Europe and America for more than 10 years; in response to the challenges of network security, many control and management needs have been strengthened. At present, China has more than 10 International Computer auditors who have passed the examination and certification (CISA: Certified Information Systems Auditor); US electronic seal Act, information security control over the electronic certificate service unit, it even requires persons with CISA qualifications to perform independent audits to confirm the effectiveness of their security management. This shows the market prospect of CISA.