Using COBIT 5 as Audit Criteria

October 2, 2013

Arthur Hart, CPAAudit Manager

State of Florida Auditor General

2

The purpose of this class is to give an overview of COBIT 5 and its applicability for use in an IT audit.

• COBIT 5 drivers, evolution, definition, and benefits

• COBIT 5 key principles

• COBIT 5 key enablers

• COBIT 5 for Information Security

• Using COBIT 5 in an IT audit

3

Studies by Gartner and others have revealed that 20 to 70 percent of large-scale investments in IT-enabled change are wasted, challenged, or fail to bring a return to the enterprise. This has been felt globally.

• Nike reportedly lost more than US $200 million through difficulties experienced in implementing its supply chain software.

• Failures in IT-enabled logistics systems at MFI (Mullard Furniture Industries) and Sainsbury Grocery in the UK led to multimillion-pound write-offs, profit warnings, and share price erosion.

• Tokyo Gas reported a US $46.6 million special loss due to cancellation of a large customer relationship management (CRM) project.

4

Various symptoms of IT failures culminate in an underlying fundamental challenge – the lack of effective governance and management of enterprise IT.

• Failure to standardize processes first• Inadequate user involvement• Unclear business objectives• Failure to control scope• Requirements volatility• Unsystematic development process• Unreliable estimates

5

To address this challenge, COBIT 5 was created as a central starting point for guidance, frameworks, and standards in the establishment of the Governance of Enterprise IT (GEIT)

• ISACA Board of Directors’ directive: “Tie together and reinforce all ISACA knowledge assets with COBIT.”

• Provide a renewed and authoritative governance and management framework for enterprise information and related technology

• Integrate all other major ISACA frameworks and guidance

• Align with other major frameworks and standards

6

COBIT has evolved from its early beginnings as an audit and control assessment tool to a holistic Governance of Enterprise IT tool.

COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards, and resources:• ISACA’s Val IT (IT Value Delivery)• ISACA’s Risk IT• ISACA’s BMIS (Business Model for

Information Security)• Information Technology

Infrastructure Library (ITIL®) International Organization for Standardization (ISO).

Evol

ution

7

COBIT 5 provides globally accepted principles, practices, analytical tools, and models to help increase the trust in, and value from, enterprise information systems.

• Defines the starting point of governance and management activities with stakeholder needs related to enterprise IT

• Creates a more holistic, integrated, and complete view of enterprise governance and management of IT that is consistent and provides an end-to-end view on all IT-related matters

• Creates a common language between IT and business for the enterprise governance and management of IT

• Is consistent with generally accepted corporate governance standards, and thus helps to meet regulatory requirements

8

COBIT 5 goes above and beyond COBIT 4.1 to provide guidance to entities in establishing and maintaining an effective and efficient enterprise IT environment.

• New Governance of Enterprise Information Technology (GEIT) principles

• Increased focus on enablers

• New and modified processes

• Separated governance and management practices and activities

• Revised and expanded goals and metrics

• Defined inputs and outputs

• More detailed RACI (Responsible, Accountable, Consulted, and Informed) charts

• Process Capability Assessment Model

9

COBIT uses five principles in defining its approach to build an effective governance and management framework.

1. Meeting Stakeholder

Needs

2. Covering the Enterprise End-to-End

3. Applying a Single

Integrated Framework

4. Enabling a Holistic

Approach

5. Separating Governance

From Management

COBIT 5Principles

These principles and related details are documented in COBIT 5 A Business Framework for the Governance and Management of Enterprise IT and its appendices.

10

COBIT translates stakeholder needs into specific, actionable enterprise goals that cascade to IT-related goals then to specific enabler (i.e., processes) goals and practices.

COBIT 5 Goals Cascade Overview

Stakeholder Drivers(Environment, Technology Evolution, …)

Influence

Enterprise Goals

IT-Related Goals

Enabler Goals

BenefitsRealization

RiskOptimization

ResourceOptimization

Stakeholder Needs

Cascade to

Cascade to

Cascade to

This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder requirements, and thus effectively supports alignment between enterprise needs and ITsolutions and services.

11

In the Goals Cascade, stakeholder needs are related to a set of generic enterprise goals based on balanced scorecard (BSC) dimensions. They are associated with overall governance objectives.

(P – Primary Relationship; S – Secondary Relationship)

12

The achievement of enterprise goals requires a number of IT-related outcomes, which are represented by IT-related goals. COBIT maps enterprise goals to IT-related goals.

13

Achieving IT-related goals requires the successful application and use of enablers (i.e. process enablers). COBIT identifies a set of specific relevant process goals that can be defined in support of the IT-related goals.

14

Using the Goals Cascade, COBIT is able to determine the processes and management practices (i.e., control objectives) that support IT-Related Goals that support Enterprise Goals that support overall Stakeholder Needs.

ENTERPRISE GOAL: Review of the control environment, information security, and safeguarding of assets is a main concern of stakeholders. The following enterprise goal is identified:

• 3. Managed business risk (safeguarding of assets)

IT-RELATED GOALS: The enterprise now takes the next step in the goals cascade: analyzing which IT-related goals correspond to the enterprise goal(s). The following IT-related goals are suggested as most important (all ‘P’ relationships):• 04 Managed IT-related business risk• 10 Security of information, processing infrastructure, and applications• 16 Competent and motivated business and IT personnel

ENABLER GOALS: In the next step in the cascade, the enterprise will determine the most relevant IT-related processes that support the IT-related goal of “Security of information, processing infrastructure, and applications”. These processes are as follows:• EDM03 – Ensure Risk Optimization• APO12 – Manage Risk• APO13 - Manage Security• BAI06 – Manage Change• DSS05 – Manage Security Services

Stakeholder Needs(Is the information I am processing well secured?)

15

Through Covering the Enterprise End-to-End, COBIT integrates governance of enterprise IT into enterprise governance by covering all functions and processes within the enterprise.

• COBIT does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.

• It considers all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone—internal and external—that is relevant to governance and management of enterprise information and related IT.

16

With Applying a Single, Integrated Framework, COBIT provides a basis to integrate effectively other frameworks, standards, and practices used.

• Aligns with the latest relevant standards and frameworks

• Is complete in enterprise coverage• Integrates all knowledge

previously dispersed over the different ISACA frameworks

• Provides a simple architecture for structuring guidance materials and producing a consistent product set

COBIT makes a clear distinction in Separating Governance From Management. These two disciplines encompass different types of activities, require different organizational structures, and serve different purposes.

17

* These equate to domains defined in the COBIT Process Reference Model discussed on the next few slides: (APO – Align, Plan, Organize), (BAI – Build, Acquire, Implement), (DSS – Deliver, Service, Support), (MEA – Monitor, Evaluate, Assess)

18

COBIT includes a process reference model, which defines and describes in detail a number of governance and management processes. It represents all of the processes normally found in an enterprise relating to IT activities.

COBIT documents the process reference model and related details in COBIT 5 Enabling Processes.

19

The five domains of the process reference model delineate the various processes of governance and management as distinct but related disciplines.

• Governance - ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-upon enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed upon direction and objectives– Defined in the Evaluate, Direct, and Monitor (EDM) domain

• Management - plans, builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives– Align, Plan, and Organize (APO)– Build, Acquire, and Implement (BAI)– Deliver, Service, and Support (DSS)– Monitor, Evaluate, and Assess (MEA)Using COBIT 5 Enabling Processes as a baseline, COBIT has enhanced it

targeting Information Security in COBIT 5 for Information Security.

20

COBIT 5 for Information Security uses COBIT holistic enablers to promote comprehensive, effective, and efficient Information Security governance and management in an enterprise.

21

Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. They can be inter-related and may need input from others to be effective.

• Principles, policies, and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management.

• Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.

• Organizational structures are the key decision-making entities in an enterprise. • Culture, ethics, and behavior of individuals and of the enterprise are very often

underestimated as a success factor in governance and management activities. • Information is required for keeping the organization running and well governed, but

at the operational level, information is very often the key product of the enterprise itself.

• Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services.

• People, skills, and competencies are required for successful completion of all activities, and for making correct decisions and taking corrective actions.

22

Enabler Performance Management is an integral part of COBIT 5 that measures the outcomes from the application and use of enablers. Measurements tie to each of the four enabler dimensions.

Are Stakeholders’ Needs addressed?

Are Enabler Goals’ achieved? Is Life Cycle managed?Are Good Practices applied?

23

In COBIT, all enablers have a set of common dimensions that provide a simple and structured way to address enablers, allow an entity to manage its complex interactions, and facilitate successful outcomes of enablers.

Generic Enabler Model

24

For Information Security, COBIT extends the enabler, Principles, Policies, and Frameworks, to include principles and policies that promote good information security practices.

Information Security Principles Information security principles communicate the rules of the enterprise in support of the governance

objectives and enterprise values, as defined by the board and executive management.

Information Security Policies Policies provide guidance on how to put principles into practice and how they will influence decision

making. Not all relevant policies are written and owned by the information security function. COBIT structures policies into three groups:o The information security policy written by the information security function, but driven by the board

of directors (i.e. , those charged with governance).o Specific information security policies driven by the information security function.o Other policies that can be related to information security, but are driven by other functions in the

enterprise. In these policies, information security should influence the development to ensure the achievement of information security requirements.

25

For the Processes Enabler, COBIT makes a distinction between governance and management processes. The difference between types of processes lies in the objectives of the processes.

Governance processes These processes deal with the governance objectives of benefits realization, risk

optimization, and resource optimization. They include practices and activities aimed at evaluating strategic options, providing

direction to information security, and monitoring outcome.o These are represented by the Evaluate, Direct, and Monitor (EDM) domain (in line with

ISO/IEC 38500 standard concepts). Management processes

These processes include practices and activities designed to cover the responsibility areas of planning, building, running, and monitoring (PBRM) information security.

The management processes provide end-to-end coverage of information security.

26

COBIT provides detail guidance on the definition, measurement, and activities of each process augmented with security-specific requirements.

Process identification Labels the process together with a short name and

links to the type and domain Process description

Describes what the process does and how the process accomplishes its purpose

Process purpose statement Describes the overall purpose of the purpose

Process goals and metrics Information security-specific process goals are included

and linked to information security-specific metrics Detailed description of the process practices

Practice title and description Information security-specific practice inputs and outputs Information security-specific process activities

Appendix B of COBIT 5 for Information Security provides further detailed guidance for each of the processes.

27

As part of the Organizational Structures Enabler, COBIT categorizes organizational stakeholders into information security-specific and information security-related roles and structures.

Security-specific roles and structures – These are internal to the information security function. Chief information security officer Information security steering committee Information security manager

Security-related roles and structures – These are not organized as part of the information security function but security policies should define these roles (especially custodians/owners). Enterprise risk management committee Information custodians/business owners

Appendix C of COBIT 5 for Information Security provides further detailed guidance for Organizational Structures.

28

COBIT addresses the issue that for Culture, Ethics, and Behavior of individuals and enterprises, these attributes are often underestimated as a success factor in information security governance and management.

COBIT defines high-level attributes of behaviors Organizational ethics

Determined by the values by which the enterprise wants to live

Individual ethics Determined by the personal values of each individual in

the enterprise, and, to an important extent, depend on external factors such as beliefs, ethnicity, socio-economic background, geographic location, and personal experiences

Leadership Ways that leadership can influence desired behavior:o How communication, enforcement, and rules and norms

can be used to influence behavioro Incentives and rewards can be used to influence

behavioro Raising awareness

29

In the Information Enabler, COBIT defines information types and information stakeholders that can be adapted to govern and manage information security within the enterprise.

The information type provides an idea of how deep information security can extend throughout the enterprise.

Information security strategy, budget, and plan Information security policies and requirements Awareness material Information security review reports, security services catalogues, and risk

profiles Information security dashboard (incidents, problems, and metrics)

Identifying the stakeholder of information is essential to optimize the development and distribution of information throughout the enterprise.

Internal Stakeholders – Federal Government, Governor, Legislature, Board, CEO, CFO, CISO, ISSC, Business process owner, HR

Internal IT Stakeholders – CIO/IT Manager, ISM External Stakeholders – Investors, Regulators, Vendors/Suppliers, External

Auditors, Florida citizens and tax payers, Public interest groups, the Public in general

30

The Services, Infrastructure, and Applications Enabler provides the enterprise with information processing and services capabilities required to provide information security and related functions to the enterprise.

Provide a security architecture Provide security awareness Provide secure development (development in line with security

standards) Provide security assessments Provide adequately secured and configured systems Provide user access and access rights Provide adequate protection against malware, external attacks, and

intrusion attempts Provide adequate incident response Provide security testing Provide monitoring and alert services for security-related events

Appendix F of COBIT 5 for Information Security provides further detailed guidance for the Information Services.

31

Through the People, Skills, and Competencies Enabler, typical information security-related skills and competencies are defined to ensure that all activities are completed successfully and correct decisions are made.

Information security governance Information security strategy formulation Information risk management Information security architecture

development Information security operations Information assessment, testing, and

compliance

Appendix G of COBIT 5 for Information Security further defines skills and competencies together with related goals.

32

As we have stated, COBIT 5 goes beyond 4.1 by focusing on the governance and management of enterprise IT. It also provides a comprehensive reference source for planning and executing an IT audit.

• COBIT 4.1 Control Practices have been enhanced into COBIT 5 Enabling Processes.– Processes are redefined throughout to give a more governance and enterprise

management perspective.• Leveraging the Goals Cascade, IT-Related Goals, Process Goals, and related metrics are given.• More encompassing RACI (Responsible, Accountable, Consulted, Informed) charts are given as

a foundation for stakeholders and organizational structure.• Management Practices (Control Objectives) are given along with Inputs and Outputs which

demonstrate the inter-dependencies of domains/processes.• Control Activities are given which show the key activities to be expected associated with a

particular process.

Reference COBIT 5 Enabling Processes for more detailed information on Processes and Activities

33

With enterprise goals and related IT goals, the auditor can assess the overall control environment and how it is being measured and monitored in order to make a high-level determination of the focus of the audit.

(P – Primary Relationship; S – Secondary Relationship)

34

Equating audit objectives to stakeholders needs and enterprise goals, the auditor can determine the process areas that need to be evaluated to gain assurance that applicable control objectives are being met.

ENTERPRISE GOAL: Through review of the control environment, information security, and safeguarding of assets is a main concern of stakeholders. The following enterprise goal, among others, is identified:

• 3. Managed business risk (safeguarding of assets)

IT-RELATED GOALS: The enterprise now takes the next step in the goals cascade: analyzing which IT-related goals correspond to the enterprise goal(s). The following IT-related goals are suggested as most important (all ‘P’ relationships):• 04 Managed IT-related business risk• 10 Security of information, processing infrastructure, and applications• 16 Competent and motivated business and IT personnel

ENABLER GOALS: In the next step in the cascade, the enterprise will determine the most relevant IT-related processes that support the IT-related goal of “Security of information, processing infrastructure, and applications”. These processes are as follows:• EDM03 – Ensure Risk Optimization• APO12 – Manage Risk• APO13 - Manage Security• BAI06 – Manage Change• DSS05 – Manage Security Services

Stakeholder Needs(Is the information I am processing well secured?)

35

To determine the effectiveness of an entity’s organizational structure, RACI charts are included with each process to give a representation of a typical organization used to enable the process.

R-Responsible, A-Accountable, C-Consulted, I-Informed

The RACI chart is a guide and starting point to help the auditor determine the following: Is the Organizational Structure

defined properly to support to process objectives?

Are there adequate People, Skills, and Competencies to support the process?

Is the Culture, Ethics, and Behavior of the organization in-line with Good Practices?

36

For each enabling process, COBIT 5 has defined Management Practices together with Inputs and Outputs of the Practices.

COBIT 5 governance and management practices can be related to COBIT 4.1 control objectives (or Val IT or Risk IT processes).

COBIT 5 activities are related to COBIT 4.1 control practices (or Val IT or Risk IT management practices).

Reference COBIT 5 Enabling Processes (Appendix A) for a detailed mapping of COBIT 4.1 Control Objectives to COBIT 5 Management Practices

37

The COBIT 5 enabled processes are geared toward a holistic governance and management approach to the subject matter of the process.

While COBIT 4.1 defines the control objective as “Network Security” focused solely on networks, COBIT 5 defines the Management Practice (Control Objective) to be

applicable to all methods of connectivity.

COBIT 4.1 Control Objective: DS5.10 Network Security – Use security techniques and related management procedures (e.g. firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information

flows from and to networks.

38

Auditors can use the process components of Management Practices, Inputs, Outputs, and Activities to assess the health of an overall process and if associated control objectives (or management practices) are being met.

39

With the enhanced detail incorporated in the COBIT 5 Enabling Processes, the auditor is given more guidance on determining the root cause of a control weakness.

Management Practice Activities can help with the analysis of the underlying cause of a control weakness: Does the process incorporate all

steps necessary to support the process objectives and goals?

Are supporting principles and policies adequate and maintained?

Does the Services, Infrastructure, and Applications of the entity adequately support the process and objectives?

Is information used and generated by the process adequate and appropriate?

40

Additionally, the auditor is able to analyze the inter-dependencies of the Management Practice with other Practices within the process or across processes to help determine the fundamental cause of a control weakness.

Using Inputs, the auditor can “dig deeper” into the root cause of a control weakness Is the Input process adequate to

support the control objectives of the current process?

Are the work-products generated by the Input process adequate to support the control objectives of the current process?

Does the Input process provide the correct information to the current process?

41

Let’s say that an auditor learns that external entities are able to breach security and gain access to some data (not all) on an organization’s network.

Upon further analysis, the auditor learned the following additional information:

The IT Department considers the security breach a low risk since the data that is being accessed is non-confidential as far as they are concerned.

The security breaches are not reported in a timely manner to IT management and business owners.

Some of the business owners would like to be aware of the issue more timely, even though IT considers it a low risk. Notification from IT seems to be random and many days after the occurrence.

Some of the business owners, although IT says the data is non-confidential, do not like just anyone seeing the data without going through the proper authorization channels. In particular, this is important to the CRM (Customer Relationship Management) department in its tracking of potential customers or users of their services.

Network security policies and related documentation are 5 years old.

42

Using COBIT 4.1, DS5.10 as the basis for controls evaluation, the auditor is concerned that, although the data is not confidential, the security breaches could lead to more severe breaches being undetected in a timely manner.

The auditor recommends the following:

1. Security policies and related documentation should be updated and reviewed at least annually.

2. The IT department should implement active monitoring and pattern recognition to protect devices from attack.

3. Security breaches should be monitored on a timely basis to determine any impact to critical data and business owners.

COBIT 4.1 Control Objective: DS5.10 Network Security – Use security techniques and related management procedures (e.g. firewalls, security appliances, network segmentation, intrusion detection) to

authorize access and control information flows from and to networks.

Although the auditor addressed the current data concern, what’s to say that next year, another set of data is affected by this same symptom of the control weakness.

43

Using COBIT 5, the auditor considers the Management Practice Activities of DSS05.02, but also the Inputs and Outputs of the Management Practice in assessing and evaluating controls.

DSS05.02 Manage network and connectivity security

APO09.03Define and prepare service agreements/

operating level agreements

APO01.06Define information (data

classification) and system ownership

Results of penetration tests

Connectivity security policy

InputsManagement

Practice Outputs

In formulating observations, the Auditor considers enablers that are embedded in COBIT Management Practices and Activities and, additionally, the impacts from and to other processes.

1. The organization should develop data classification guidelines based on input from all stakeholders.

2. The organization should create and maintain an inventory of information (systems and data) by data owner based on the data classification guidelines.

3. The IT department should prepare and maintain Operational Level Agreements (OLAs) with the business areas and address acceptable performance metrics and handling of the different classification of data.

44

4. Security Policies should be established to take into account data classification and risk assessments and business requirements (OLAs) with respect to security of connectivity.

5. Network filtering mechanisms should be implemented that enforce security policies.

6. Periodic testing and monitoring of system security should be performed to determine the adequacy of system protection in line with security policies.

The auditor recommends the following:

45

Using COBIT 5, the auditor is able to add more value to the audit as well as the organization that is being audited by drilling through the processes to determine the underlying root cause of a control weakness.

Based on the fact that the organization did not have data classification guidelines and never classified its data, the IT Department had no concrete way of knowing that the data that was being breached was important and sensitive to business owners.

Additionally, because internal Operational Level Agreements had not been established, the IT Department had never been concerned about aligning the timeliness of reporting with business needs.

Finally, because the security policies were outdated and mostly likely not based on any sort of risk assessment or input from the business owners, the IT Department did not have proper guidance to ensure timely monitoring and reporting of security breaches.

As a result of the auditor’s use of COBIT 5, the control weakness should be permanently addressed for all relevant data. The symptom will not reoccur!

“Nip it! Nip it in the bud!” - Barney Fife, Deputy, Mayberry, NC The Andy Griffith Show Desilu Studios

46

The COBIT Product Family encompasses Enabler Guides, Professional Guides, and an Online Collaborative Environment.

47

ISACA has a variety of articles and references related to COBIT. During the exposure period for COBIT 5, based on feedback received, ISACA addressed general misconceptions related to COBIT.

Misconception Fact

COBIT is a standard. COBIT is a framework. Unlike a standard, which requires an enterprise to follow the complete guidance as it is documented, a framework is flexible and can—and should—be customized to fit an enterprise’s size, culture, risk profile, business needs, etc.

COBIT is an IT audit framework. COBIT is a framework that covers governance and management aspects of information and technology used across the complete enterprise from “end to end” and beyond, providing a common business language for the business’s use of information and technology assets.

COBIT is technical. COBIT is business-language-oriented and avoids use of technical terms wherever possible.

COBIT is a competitor of ITIL (Information Technology Infrastructure Library).

(ITIL defines as series of leading IT Service Management publications.)

COBIT and ITIL are complementary. COBIT brings breadth, covering all governance and management activities related to information and technology, and ITIL provides depth of guidance in IT service management areas.

COBIT provides only control objectives for IT In addition, COBIT also provides guidance on good management practices. To reflect this shift in framework content, COBIT now goes by its acronym only.

48

The mapping of COBIT misconceptions to facts as defined by ISACA may prove beneficial to first-time and on-going readers and users of COBIT.

Misconception Fact

COBIT is a tool for Sarbanes-Oxley compliance only.

COBIT helps enterprises comply with any and all relevant legislation and regulations, including, but not limited to, Sarbanes-Oxley.

COBIT is complicated and overwhelming. The principles and supporting guidance in COBIT use business language to facilitate comprehension of the material; however, governance and management of enterprise IT are not simple topics to grasp or address.

COBIT must be “implemented” in its entirety or not at all.

No enterprise is expected to implement all of the practices in COBIT; each enterprise should select the practices and activities that fit its business objectives, needs, and capabilities (including size and resources).

COBIT is of value for big enterprises only. COBIT can be used by enterprises of any size, particularly when considering the principles and enablers related to the governance and management of enterprise IT.

COBIT provides specific directions and answers. COBIT is not a specific route that tells an enterprise exactly where to start and stop; instead, it is a broader map that enterprises can use to determine their starting points and where they want to go. As a result, it can be used by any enterprise, regardless of its size, location, industry, or current level of management and governance capability.

49

The content throughout this presentation was taken from several publications including ISACA publications, COBIT training material, newspaper, and magazine articles.

Acknowledgements and citations are listed below: IT Governance Institute, Enterprise Value: Governance of IT Investments, The VAL

IT Framework 2.0, 2008 Karl Finders, Why do big IT projects fail? Part one: The professionals, http://

www.computerweekly.com/news/2240106569/Why-do-big-IT-projects-fail-Part-one-The-professionals, October 24, 2011, date accessed October 8, 2012

Don Caniglia, Introduction to COBIT 5, ISACA, September 27, 2012 ISACA, COBIT 5 A Business Framework for the Governance and Management of

Enterprise IT, COBIT 5 An ISACA Framework, 2012 ISACA, COBIT 5 for Information Security, COBIT 5 An ISACA Framework, 2012 ISACA, COBIT 5 Enabling Processes, COBIT 5 An ISACA Framework, 2012 IT Governance Institute, COBIT Control Practices 2nd Edition, 2007 ISACA, COBIT Misconceptions and Facts, http://www.isaca.org/About-ISACA/-

ISACA-Newsletter/Pages/at-ISACA-Volume-19-14-September-2011.aspx, @ISACA Newsletter, September 14, 2011

Feedback, questions, and comments are welcomed. Contact Arthur Hart through his email, arthart@aud.state.fl.us