COBIT - Control Objectives for Information and Related Technology

Introduction:

COBIT stands for Control Objectives for Information and Related Technology.  It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It is a tool which supports managers and allows balancing technical issues, business risks and control requirements. It is a control model that guarantees three control objectives – confidentiality, integrity and availability of the information system. It delivers a great value to the organization and helps business managers to practice better risk management practices associated with the IT processes.

Today, COBIT is used globally for the IT business processes by all managers. It is a thoroughly recognized guideline that can be applied to any organization across industries. Overall, COBIT ensures quality, control and reliability of information systems in organization, which is also the most important aspect of every modern business especially software development companies for which IT management is a vital process. 

COBIT Framework:

The COBIT business orientation includes linking business goals with its IT infrastructure by providing various maturity models and metrics that measure the achievement while identifying associated business responsibilities of IT processes. The main focus of COBIT is on following four specific domains:

1. Planning and Organization
2. Delivering and Support
3. Acquiring and Implementation
4. Monitoring and Evaluation

COBIT  has a high position in business frameworks and has been harmonized by several successful custom software development companies. COBIT is being used by all organizations whose primary responsibilities happen to be business processes and related technologies. This is for all organizations and business hat depend on technology for reliable and relevant information. COBIT is used by both the government departments, federal departments and other private commercial organizations. It helps is increasing the sensibility of IT processes to a great extent.

Components of COBIT:

• Framework:
• IT helps organizing the objectives of IT governance and bringing in the best practices in IT processes and domains, while linking business requirements.
• Process descriptions:
• It is a reference model and also acts as a common language for every individual of the organization.
• The process descriptions include planning, building, running and monitoring of all IT processes.
• Control objectives:
• This provides a complete list of requirements that has been considered by the management for effective IT business control.
• Maturity models:
• These accesses the maturity and the capability of every process while addressing the gaps.
• Management guidelines:
• It helps in better assigning responsibilities, measuring performances, agreeing on common objectives and illustrate better interrelationships with every other process.

Latest version of COBIT – COBIT 5.0:

The COBIT 5.0 framework has been able to bring about a collaborative culture within the organization and this better met the needs, risks and benefits of all IT initiatives. A COBIT 5.0 Certification not just prepares professionals for the global challenges to the business IT process but also delivers substantial amount of expertise information on:

• IT management issues and how they can affect organizations
• Principles of IT governance and enterprise IT while establishing the differences between management and governance
• Accessing the ways in which COBIT 5.0 processes can help the establishment of the basic principles along with other enablers
• Discussing COBIT 5.0 with respect to its process reference model and goal cascade

COBIT will be majorly beneficial to:

• CIOs / IT Directors
• Risk committee
• Process owners
• Audit committee members
• IT professionals

Conclusion:

COBIT aims to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.

PCIDSS - Payment Card Industry Data Security Standard

Introduction:

PCIDSS stands for Payment Card Industry Data Security Standard. It is a proprietary information security standard for organizations including application development companies that handle branded credit cards from the major card schemes including American Express, MasterCard, Visa Inc., Discover Financial Services and JCB International. To protect cardholder data, these five global payment brands launched PCI (Payment Card Industry) Security standards council.

It ensures that merchants' credit card processing procedures meet certain security requirements as follow to make online payment systems secure:

• Install and maintain firewall configuration to protect data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Use and regularly update antivirus software
• Protect stored data
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Encrypt transmission of cardholder data and sensitive information across public networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security

This PCIDSS applies to all organizations web development companies that store, process or transmit cardholder data. Every business that accepts credit card or debit card processing payments and stores, processes and transmits payment card data must meet PCIDSS standard. 

PCIDSS specifies and elaborates on six major objectives as follow:

• A secure network must be maintained in which transactions take place. It involves use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors.  Authentication data such as personal identification numbers (PINs) and password must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
• Cardholder information must be protected wherever it is stored. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet by e-commerce solution provider.
• Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered. 
• Access to system information and operations should be restricted and controlled. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number.  Cardholder data should be protected physically as well as electronically.
• Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. Anti-virus and anti-spyware programs should be provided with the latest definitions and signatures.
• A formal information security policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.

Conclusion:

The beauty of the internet is attracting customers from around the world. However, it also attracts cyber criminals and so payment security is very necessary. PCIDSS is a security standard which has to be followed by every organization to secure cardholder data of customers. There are many software available for payment security provided by software development companies in India which facilitates data confidentiality, integrity, authentication, authorization etc.

Article Summary:

This article gives brief introduction about Payment card industry data security standard, its requirements and objectives. It also explains how a merchant should comply protection of cardholder data with PCIDSS.