What are the four IT control process domains?
COBIT groups IT control processes into four broad domains: (1) planning and organization, (2) acquisition and implementation, (3) delivery and support, and (4) monitoring. Figure 8.2 depicts the relationship among these four domains and lists the IT control processes within each domain. Notice that the monitoring domain provides feedback to the other three domains. In the remainder of this chapter we discuss these ten IT control processes.
Before we move on to a discussion of the ten IT control processes, let’s discuss the concept of a control process. A “control process” could easily be, and often is referred to as, a “management practice.” This latter terminology emphasizes management’s responsibility for control in the organization and the practices, or processes, which will bring about achievement of an organization’s objectives. It is through a coordinated effort, across all IT resources and all organizational units, that the objectives of the organization are achieved.
Data: Objects in their widest sense (i.e., external and internal), structured and non-structured, graphics, sound, etc.
Application systems: Application systems are understood to be the sum of manual and programmed procedures.
Technology: Technology covers hardware, operating systems, database management systems, networking, multimedia, etc.
Facilities: Facilities are all resources to house and support information systems.
People: People resources include staff skills, awareness, and productivity to plan, organize, acquire, deliver, support, and monitor information systems and services.
Source: Reprinted with permission from COBIT: Control Objectives for Information and Related Technology—Framework, 3rd ed. (Rolling Meadows, IL: The Information Systems Audit and Control Foundation, 2000): 14.