Known by the acronym of PAM, the security model is billed as allowing business and IT managers to have confidence in the assessment process and the quality of the results as they maximize the business value of their IT investments. The model is offered as a free download for association members, and for $50.00 for non-members.
As reported previously, COBIT is a framework created by ISACA for IT management and governance professionals. First released back in 1996, the framework is essentially a supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks.
Like the RACI/RAM responsibility assignment matrix, COBIT seeks to allow professionals to bridge the gap between the risk analysis process and the quantitative assessment that accountants – and boards – are used to, Infosecurity notes.
With COBIT defining 34 generic processes to manage IT – complete with process inputs and outputs, key process activities, process objectives, performance measures and a simple maturity model – PAM is billed as an aid to security management.
Plans call for the second guide in the COBIT assessment program series – COBIT Assessor Guide Using COBIT 4.1– to be issued later this year. The guide will, said ISACA, provide information on how to undertake a formal assessment by a trained certified assessor.
The assessor guide, the association added, will use the COBIT PAM as a base reference document and provide options for the scoping of assessments.
A third guide in the series – COBIT Self-assessment Guide Using COBIT – is also in development and is billed as allowing enterprises to perform basic self-assessment of current IT process capability levels against the COBIT framework.
Enterprises will, said the security association, be able to use it to perform non-evidence-based capability assessments to serve as a precursor review to a formal assessment.