0% found this document useful (0 votes)
422 views13 pages

ITGC Checklist - COBIT 2019 Framework Part4

The document presents Part 4 of the COBIT 2019 Framework ITGC Checklist, aimed at aiding understanding of IT governance principles. It outlines control objectives, tests of controls, and evaluation requirements related to change management and outsourcing IT infrastructure. The checklist serves as a structured guide for students and professionals in assessing compliance with COBIT standards.

Uploaded by

animeshbiswas00
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
422 views13 pages

ITGC Checklist - COBIT 2019 Framework Part4

The document presents Part 4 of the COBIT 2019 Framework ITGC Checklist, aimed at aiding understanding of IT governance principles. It outlines control objectives, tests of controls, and evaluation requirements related to change management and outsourcing IT infrastructure. The checklist serves as a structured guide for students and professionals in assessing compliance with COBIT standards.

Uploaded by

animeshbiswas00
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

COBIT 2019 Framework –

ITGC Checklist

TechEd Academy
We are pleased to share Part 4 of the COBIT
Checklist, carefully prepared to support your learning
and understanding of the COBIT framework.

Whether you're a student, professional, or enthusiast


in the field of IT governance, this checklist is designed
to assist you in grasping the key components of
COBIT in a clear and structured manner.

TechEd Academy
E. CHANGE MANAGEMENT CONTROLS
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

1 Control objective: Control the impact AI6.1 1. Is there a formally approved, • Change
assessment, authorisation and AI6.2 implemented and monitored
management
implementation of all changes to IT AI6.3 framework/procedures for managing
infrastructure, applications and AI6.4 changes to IT applications, programs framework/
technical solutions; minimise errors due AI6.5 and databases?
procedures
to incomplete request specifications; AI6.6
2. Does the change management
and halt implementation of framework include/cover: • All records of a
unauthorised changes.
a. Roles and responsibilities? sample of
References to regulatry framework:
changes (from
IR Arts 22a(1)(d) and 107; ICS8 b. Change request procedures?
change request
Related information criteria: Integrity, c. The assessment of risks and the
log to move into
availability, effectiveness and efficiency impacts of changes?
production)
d. Management authorisation for
change requests?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

e. Approval by the key stakeholders,


such as users and system
owners, before changes move
into production?

f. Management review and approval


of changes before they move into
production?

g. The classification of changes


(major, minor, emergency
changes, etc.)?

h. The tracking of changes?

i. Version control mechanisms?

j. The definition of rollback


procedures?

k. The use of emergency change


procedures?

l. Audit trails?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

3. Are the following criteria for the


segregation of duties respected in
the context of program changes:

a. Is the segregation of duties for


development, testing, quality
assurance and production tasks
clearly established?

b. Do program developers and


testers conduct activities on "test"
data only?

Do end users or system operators have


direct access to program source codes?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

2 Control objective: Test that AI7.2 1. Are all major changes tested against Test plans and
applications and infrastructure AI7.6 functional and operational other documents
solutions are fit for the intended
purpose and free from errors, and that requirements to ensure that original relevant to the
adequate data conversion has business goals are achieved? testing of a major
occurred.
change to an IT
References to regulatory 2. Are all major changes executed in
application/
framework: IR Arts 22a(1)(d) and 107; accordance with a test plan which
ICS8 program
covers:
Related information criteria:
Effectiveness a. Organisational standards, roles
and responsibilities?

b. Test preparation, including site


preparation?

c. Training requirements, if needed?

d. Installation or update of a defined


test environment?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

e. Planning/performance/documenta
tion/retention of test cases?

f. Error and problem handling?

g. Correction and escalation?

h. Formal approval?

3. Are tests implemented on the live


production system or in a test
environment?

F. CONTROLS ON OUTSOURCING IT INFRASTRUCTURE

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

1. Control objective: Identify services DS1.1 1. Are there clearly-defined benefits • Contract(s)
delivered by IT. Define, agree upon and business objectives in support of
and regularly review service-level • SLA(s)
agreements, which should cover the decision to outsource?
service support requirements, related
costs, roles and responsibilities, etc., 2. Are management requirements and
and be expressed in business terms. expectations clearly defined in the
References to regulatory contract/SLA?
framework: FR Art. 28a(2)(c); IR Arts
22a(1)(d), 48(c,f) and 108; ICS5, ICS8,
3. Were the risks assessed when
ICS10, ICS11 and ICS12
deciding to outsource and taken into
Related information criteria:
Confidentiality, integrity, efficiency and account when specifying the
effectiveness necessary controls?

4. Was the IT project carried out in


accordance with existing project
management standards?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

AI 4.1 AI 5. Does the contract/SLA clearly define


5.2 security requirements:
DS1.3
DS1.6
a. Network security?
DS2.4

b. Physical security?

c. Anti-virus protection?

d. Logical access controls?

6. Are the data backup requirements


clearly defined?

7. Are provisions included for


business continuity procedures?

8. Is there a clause on compliance


with personal data protection
regulations?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

9. Does the contract/SLA give a


detailed description of the service
to be provided:

a. Hardware and software


requirements?

b. Service support (help desk,


incident management, problem
management)?

c. Maintenance and change


management?

d. IT staffing needs?

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

10. Does the contract/SLA


include/cover the following:

a. Formal management and legal


approval?

b. Costs, with specifications for


payment (including frequency)?

c. The principals' roles and


responsibilities?

d. User/provider communications
procedure and frequency?

e. Contract duration?

f. Problem resolution procedures?

g. Non-performance penalties?

h. The dissolution procedure?

i. The contract modification


procedure?

j. Non-disclosure guarantees?

k. Right to access and right to audit

TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required

2. Control objective: Continuously DS1.5 1. Does the contract/SLA define Monitoring


monitor specified service-level ME1.4 reporting procedures as regards the report(s)
performance criteria. Reports on ME1.5
achievement of service levels should ME1.6 type, content, frequency and
be provided in a format that is distribution of reports?
meaningful to stakeholders.
References to regulatory 2. Is a procedure in place for
framework: IR Art. 22a(1)(e); ICS9 continuous monitoring and regular
and ICS15
reporting on the achievement of
Related information criteria:
objectives?
Efficiency and effectiveness

3. Have formal performance criteria


been established to facilitate and
measure the achievement of the SLA
objectives?

TechEd Academy
Thank You

TechEd Academy

You might also like