ISACA has issued fresh guidance that outlines five principles organizations can use to effectively govern and manage their information and technology.
The principles form the core of the COBIT 5 governance and management framework, and represent a refresh of focus for the initiative. The COBIT framework was developed by ISACA for IT management and governance professionals and is designed to allow managers to define the complex relationship that exists between security control requirements, technical issues, and business risks.
The new prinicples are:
- Meeting Stakeholder Needs – It is critical to define and link enterprise goals and IT-related goals to best support stakeholder needs.
- Covering the Enterprise End to End – Companies must shift from managing IT as a cost to managing IT as an asset, and business managers must take on the accountability for governing and managing IT-related assets within their own functions.
- Applying a Single Integrated Framework – Using a single, integrated governance framework can help organizations deliver optimum value from their IT assets and resources.
- Enabling a Holistic Approach – Governance of enterprise IT (GEIT) requires a holistic approach that takes into account many components, also known as enablers. Enablers influence whether something will work. COBIT 5 features seven enablers for improving GEIT, including principles, policies and frameworks; processes; culture; information and people.
- Separating Governance from Management – Governance processes ensure goals are achieved by evaluating stakeholder needs, setting direction through prioritization and decision making; and monitoring performance, compliance and progress. Based on the results from governance activities, business and IT management then plan, build, run and monitor activities to ensure alignment with the direction that was set.
“Understanding these principles will help a company effectively use COBIT to make better IT-related investments and decisions, and to drive more value from their information and technology assets,” said Robert Stroud, international president of ISACA, in a statement. “COBIT is practical and effective for all types of enterprises, helping to ensure everyone is moving in the same direction and speaking the same language.”
That's important considering that some security analysts view COBIT as a baseline that companies should use to ensure that they are complying with various information security rules and regulations, such as PCI DSS, Sarbanes-Oxley, and Basel III.
COBIT 5 “will provide the blueprint for approaching all governance risk and compliance questions in a uniform manner. It will help IT security managers to have one single framework, like a Swiss army knife, so that they can pick and choose the right tool to make sure they are complying with whatever standards they have to adhere to by law or regulation," said Rolf von Roessing, president of Swiss consulting network Forfa and past international vice president of ISACA.